Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description#
Passing untrusted user input directly to the shelljs exec() function allows attackers to execute arbitrary system commands on your server. This happens when user data is not properly validated or sanitized before being used in command execution.
Impact#
If exploited, an attacker could run malicious commands with the same privileges as your application, leading to data theft, server compromise, or complete system takeover. This can result in loss of sensitive data, service disruption, and reputational damage to your organization.