Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | High |
Description#
The code is running shell commands using variables or non-literal input when calling functions like spawn() or spawnSync() from the child_process module. This allows potentially untrusted data to control what commands are executed in the shell, making the code vulnerable to command injection.
Impact#
If exploited, an attacker could execute arbitrary system commands on the server, leading to data theft, unauthorized access, or complete compromise of the host system. This could result in data loss, service disruption, or your application being used to launch further attacks.