Property
Language
Severity
CWE	CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Medium
Impact Level	High
Likelihood Level	Medium

Description

User input from web requests is being passed directly to subprocess functions, allowing external data to control system commands. This makes it possible for attackers to inject malicious commands into your application.

Impact

If exploited, an attacker could execute arbitrary system commands on your server, potentially leading to data theft, system compromise, or full server takeover. This can result in loss of sensitive information, service disruption, or enabling further attacks within your infrastructure.

Property
Language
Severity
CWE	CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description

User-supplied input is being passed directly to functions that spawn new processes (like os.spawn* or os.posix_spawn). This allows attackers to inject malicious commands that your application will execute on the server.

Impact

If exploited, an attacker could run arbitrary system commands with the same permissions as your application, potentially leading to data theft, server compromise, or complete takeover of the host. This can expose sensitive data, disrupt services, or allow further attacks on your infrastructure.

Property
Language
Severity
CWE	CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Medium
Impact Level	High
Likelihood Level	Medium

Description

User input from environment variables or command-line arguments is being passed directly to system calls like os.system() or os.popen(), making the application vulnerable to command injection. This lets attackers execute arbitrary system commands if they can control the input.

Property
Language
Severity
CWE	CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Medium
Impact Level	High
Likelihood Level	Medium

Description

The code passes user-controlled input from environment variables or command-line arguments directly into OS command execution functions like os.exec*. This allows attackers to inject and run arbitrary system commands.

Impact

If exploited, an attacker could execute malicious commands on the server with the application’s privileges, potentially leading to data theft, system compromise, or a complete takeover of the host machine. This can seriously jeopardize the security and integrity of the application and its underlying infrastructure.

Property
Language
Severity
CWE	CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Medium
Impact Level	High
Likelihood Level	Medium

Description

User input from environment variables or command-line arguments is being passed directly to asyncio’s subprocess_exec, which can allow attackers to inject malicious commands. Failing to sanitize this input makes the code vulnerable to command injection.

Property
Language
Severity
CWE	CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

The code uses subprocess functions to run system commands without safely handling user input or ensuring commands are static. This can allow untrusted data to control what commands are executed, leading to command injection vulnerabilities.

Property
Language
Severity
CWE	CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

The code passes user-controlled input (such as environment variables or command-line arguments) directly to asyncio.create_subprocess_exec without proper sanitization. This allows untrusted data to influence system commands executed by your application.

Impact

An attacker could inject malicious commands, leading to command execution on the server. This can result in data theft, unauthorized access, service disruption, or full system compromise, putting both your application’s data and infrastructure at risk.

Property
Language
Severity
CWE	CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

Using ‘asyncio.create_subprocess_exec’ with arguments that are not static strings or trusted inputs can allow attackers to inject malicious commands if user-controlled data is used. This creates a risk of command injection vulnerabilities in your code.

Property
Language
Severity
CWE	CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

The code is executing operating system commands using dynamic or external input. If user-controlled data reaches these process-spawning functions, an attacker could inject and run arbitrary commands.

Impact

An attacker could execute unauthorized commands on the server, potentially leading to data theft, service disruption, or complete system compromise. This puts sensitive data, application integrity, and server resources at serious risk.

Property
Language
Severity
CWE	CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Medium
Impact Level	Low
Likelihood Level	High

Description

Using subprocess functions with shell=True runs commands through the system shell, which can make your code vulnerable to command injection if user input is involved. This means attackers could execute arbitrary system commands by manipulating inputs.