SYM_PY_0037 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
The code passes user-controlled input (such as environment variables or command-line arguments) directly to asyncio.create_subprocess_exec without proper sanitization. This allows untrusted data to influence system commands executed by your application.
Impact
An attacker could inject malicious commands, leading to command execution on the server. This can result in data theft, unauthorized access, service disruption, or full system compromise, putting both your application's data and infrastructure at risk.