Description
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
This weakness can lead to a vulnerability in environments in which the attacker does not have direct access to the operating system, such as in web applications. Alternately, if the weakness occurs in a privileged program, it could allow the attacker to specify commands that normally would not be accessible, or to call alternate commands with privileges that the attacker does not have. The problem is exacerbated if the compromised process does not follow the principle of least privilege, because the attacker-controlled commands may run with special system privileges that increases the amount of damage. There are at least two subtypes of OS command injection: From a weakness standpoint, these variants represent distinct programmer errors. In the first variant, the programmer clearly intends that input from untrusted parties will be part of the arguments in the command to be executed. In the second variant, the programmer does not intend for the command to be accessible to any untrusted party, but the programmer probably has not accounted for alternate ways in which malicious attackers can provide input.
OS Command Injection Guide
Read our in-depth guide on exploiting and mitigating this weakness
Potential Impact
Confidentiality, Integrity, Availability, Non-Repudiation
Execute Unauthorized Code or Commands, DoS: Crash, Exit, or Restart, Read Files or Directories, Modify Files or Directories, Read Application Data, Modify Application Data, Hide Activities
Demonstrative Examples
$userName = $_POST["user"];$command = 'ls -l /home/' . $userName;system($command);;rm -rf /ls -l /home/;rm -rf /int main(int argc, char** argv) {char cmd[CMD_MAX] = "/usr/bin/cat ";strcat(cmd, argv[1]);system(cmd);}use CGI qw(:standard);$name = param('name');$nslookup = "/path/to/nslookup";print header;if (open($fh, "$nslookup $name|")) {while (<$fh>) {print escapeHTML($_);print "<br>\n";}close($fh);}cwe.mitre.org%20%3B%20/bin/ls%20-l/path/to/nslookup cwe.mitre.org ; /bin/ls -lString script = System.getProperty("SCRIPTNAME");if (script != null)System.exec(script);Mitigations & Prevention
If at all possible, use library calls rather than external processes to recreate the desired functionality.
Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to
For any data that will be used to generate a command to be executed, keep as much of that data out of external control as possible. For example, in web applications, this may require storing the data locally in the session's state instead of sending it out to the client in a hidden form field.
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error.
While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in qu
If the program to be executed allows arguments to be specified within an input file or from standard input, then consider using that mode to pass arguments instead of the command line.
If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated. Some languages offer multiple functions that can be used to invoke commands. Where possible, identify any function that invokes a command shell using a single string, a
Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across relat
When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
Detection Methods
- Automated Static Analysis — This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis might not be able to recognize when proper input validation is b
- Automated Dynamic Analysis Moderate — This weakness can be detected using dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash,
- Manual Static Analysis High — Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints.
- Automated Static Analysis - Binary or Bytecode High — According to SOAR [REF-1479], the following detection techniques may be useful:
- Dynamic Analysis with Automated Results Interpretation SOAR Partial — According to SOAR [REF-1479], the following detection techniques may be useful:
- Dynamic Analysis with Manual Results Interpretation SOAR Partial — According to SOAR [REF-1479], the following detection techniques may be useful:
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2024-53899 | Virtual environment builder does not correctly quote "magic" template strings, allowing OS command injection using a directory whose name contains shell metacharacters |
| CVE-2025-44844 | file upload functionality in wireless access point allows OS command injection via shell metacharacters through the file name in a Content-Disposition header |
| CVE-2024-6091 | Chain: AI agent platform does not restrict pathnames containing internal "/./" sequences (CWE-55), leading to an incomplete denylist (CWE-184) that does not prevent OS command injection (CWE-78) |
| CVE-2024-41316 | Lua application in network device allows OS command injection into os.execute() |
| CVE-2024-44335 | Chain: filter only checks for some shell-injection characters (CWE-184), enabling OS command injection (CWE-78) |
| CVE-2024-52803 | Platform for handling LLMs has OS command injection during training due to insecure use of the "Popen" function |
| CVE-2020-10987 | OS command injection in Wi-Fi router, as exploited in the wild per CISA KEV. |
| CVE-2020-10221 | Template functionality in network configuration management tool allows OS command injection, as exploited in the wild per CISA KEV. |
| CVE-2020-9054 | Chain: improper input validation (CWE-20) in username parameter, leading to OS command injection (CWE-78), as exploited in the wild per CISA KEV. |
| CVE-1999-0067 | Canonical example of OS command injection. CGI program does not neutralize "|" metacharacter when invoking a phonebook program. |
| CVE-2001-1246 | Language interpreter's mail function accepts another argument that is concatenated to a string used in a dangerous popen() call. Since there is no neutralization of this argument, both OS Command Inje |
| CVE-2002-0061 | Web server allows command execution using "|" (pipe) character. |
| CVE-2003-0041 | FTP client does not filter "|" from filenames returned by the server, allowing for OS command injection. |
| CVE-2008-2575 | Shell metacharacters in a filename in a ZIP archive |
| CVE-2002-1898 | Shell metacharacters in a telnet:// link are not properly handled when the launching application processes the link. |
Showing 15 of 19 observed examples.
Related Weaknesses
Taxonomy Mappings
- PLOVER: — OS Command Injection
- OWASP Top Ten 2007: A3 — Malicious File Execution
- OWASP Top Ten 2004: A6 — Injection Flaws
- CERT C Secure Coding: ENV03-C — Sanitize the environment when invoking external programs
- CERT C Secure Coding: ENV33-C — Do not call system()
- CERT C Secure Coding: STR02-C — Sanitize data passed to complex subsystems
- WASC: 31 — OS Commanding
- The CERT Oracle Secure Coding Standard for Java (2011): IDS07-J — Do not pass untrusted, unsanitized data to the Runtime.exec() method
- Software Fault Patterns: SFP24 — Tainted input to command
- OMG ASCSM: ASCSM-CWE-78 —
Frequently Asked Questions
What is CWE-78?
CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modi...
How can CWE-78 be exploited?
Attackers can exploit CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) to execute unauthorized code or commands, dos: crash, exit, or restart, read files or directories, modify files or directories, read application data, modify application data, hide activities. This weakness is typically introduced during the Implementation phase of software development.
How do I prevent CWE-78?
Key mitigations include: If at all possible, use library calls rather than external processes to recreate the desired functionality.
What is the severity of CWE-78?
CWE-78 is classified as a Base-level weakness (Medium abstraction). It has been observed in 19 real-world CVEs.