SYM_JSTS_0096 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | High |
Description
The code is running shell commands using variables or non-literal input when calling functions like spawn() or spawnSync() from the child_process module. This allows potentially untrusted data to control what commands are executed in the shell, making the code vulnerable to command injection.
Impact
If exploited, an attacker could execute arbitrary system commands on the server, leading to data theft, unauthorized access, or complete compromise of the host system. This could result in data loss, service disruption, or your application being used to launch further attacks.