SYM_JSTS_0087 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description
Using user-controlled input as a command in child_process functions (like exec or spawn) can allow attackers to inject malicious commands. This happens when input isn't properly validated or sanitized before being passed to the system shell.
Impact
If exploited, an attacker could execute arbitrary system commands on your server, potentially leading to data theft, data loss, system compromise, or service disruption. This could grant unauthorized access, escalate privileges, or allow full control over the affected system.