Property
Language
Severity
CWE	CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

Using child_process.spawn or spawnSync with {shell: true} (or a variable shell option) runs commands through a shell, which exposes your code to command injection risks if any input is not fully trusted. This makes it easier for attackers to execute unintended or malicious commands.

Property
Language
Severity
CWE	CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Medium
Impact Level	High
Likelihood Level	Medium

Description

The code executes system commands using user-controlled input without proper validation or sanitization. This allows attackers to inject malicious commands by manipulating the input data passed to functions like exec or spawn.

Impact

If exploited, an attacker could run arbitrary commands on the server, potentially gaining unauthorized access, stealing sensitive data, or disrupting system operations. This could lead to data breaches, loss of control over the server, or further compromise of the infrastructure.

Property
Language
Severity
CWE	CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Medium
Impact Level	High
Likelihood Level	Low

Description

This code uses Deno.run() to execute system commands where part of the command comes from user input or a variable, instead of a fixed string. This allows attackers to inject malicious commands if the input is not properly sanitized.

Property
Language
Severity
CWE	CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

Passing untrusted user input directly to the shelljs exec() function allows attackers to execute arbitrary system commands on your server. This happens when user data is not properly validated or sanitized before being used in command execution.

Property
Language
Severity
CWE	CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

Using eval() with dynamic, non-constant input allows execution of arbitrary PHP code. This makes it possible for attackers to inject and run malicious code if they control the input.

Impact

If exploited, an attacker could execute any PHP code on your server, potentially leading to data theft, server compromise, or complete takeover of the application. This poses a serious risk to both application integrity and user data.

Property
Language
Severity
CWE	CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP	A03:2021 - Injection
Confidence Level	Medium
Impact Level	High
Likelihood Level	Medium

Description

The application takes user input and passes it directly to a function that runs shell commands, without proper sanitization. This allows attackers to inject malicious commands into the system.

Impact

If exploited, an attacker could execute arbitrary commands on the server, potentially gaining access to sensitive data, modifying files, or taking control of the server. This can lead to data breaches, service disruption, or full system compromise.

Property
Language
Severity
CWE	CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP	A03:2021 - Injection
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

These functions can lead to command execution if the data inside them is user-controlled. Don’t use the input directly or validate the data properly before passing it to these functions.

Property
Language
Severity
CWE	CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

Using string formatting or concatenation to build Bash commands in Airflow’s BashOperator can let user-controlled input end up in shell commands. This exposes your code to command injection if any variable used is not fully trusted.

Property
Language
Severity
CWE	CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description

User input from HTTP requests is being passed directly to Python’s os.exec* functions to spawn system processes. This allows attackers to control system commands executed by the application, making it highly insecure.

Impact

An attacker could execute arbitrary system commands on the server, leading to data theft, server compromise, or complete system takeover. This can result in loss of sensitive data, service disruption, and significant reputational or financial damage.

Property
Language
Severity
CWE	CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Medium
Impact Level	High
Likelihood Level	High

Description

User input from HTTP requests is being passed directly to system commands using functions like os.system or os.popen. This is insecure because attackers can manipulate inputs to execute arbitrary commands on the server.

Impact

If exploited, an attacker could run malicious commands with the application’s privileges, potentially leading to data theft, server compromise, or complete system takeover. This can result in data breaches, service disruption, and significant harm to the organization.