SYM_JSTS_0101 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
Using child_process.spawn or spawnSync with {shell: true} (or a variable shell option) runs commands through a shell, which exposes your code to command injection risks if any input is not fully trusted. This makes it easier for attackers to execute unintended or malicious commands.
Impact
If exploited, an attacker could run arbitrary system commands with the privileges of your application, potentially leading to data theft, server compromise, or further attacks within your environment. This can result in severe breaches, data loss, or complete system takeover.