Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
User-supplied input is being passed directly to functions that spawn new processes (like os.spawn* or os.posix_spawn). This allows attackers to inject malicious commands that your application will execute on the server.
Impact#
If exploited, an attacker could run arbitrary system commands with the same permissions as your application, potentially leading to data theft, server compromise, or complete takeover of the host. This can expose sensitive data, disrupt services, or allow further attacks on your infrastructure.