Command injection allows attackers to execute arbitrary operating system commands on the server through vulnerable application interfaces.
Command Injection (also known as OS Command Injection or Shell Injection) occurs when an application passes user-supplied input to a system shell for execution. An attacker can inject shell metacharacters to append or modify the intended command, executing arbitrary commands on the server with the application's privileges.
The vulnerability typically arises when applications use functions like `child_process.exec()`, `os.system()`, or `Runtime.exec()` with user-controlled input. Shell metacharacters such as `;`, `&&`, `||`, `|`, and backticks allow command chaining or substitution. For example, if an application runs `ping -c 1 <user_input>` and the user provides `google.com; cat /etc/passwd`, both commands execute.
Command injection is one of the most severe vulnerabilities because it gives attackers direct access to the server's operating system. An attacker can read or modify any file the application has access to, install backdoors and malware, pivot to other systems on the network, exfiltrate data, launch attacks against other targets, and potentially gain root access through privilege escalation. Because the commands execute with the application's permissions, the impact depends on the application's privilege level -- but even unprivileged access can be devastating.
Avoid executing OS commands based on user input whenever possible. Use language-native libraries instead of shelling out (e.g., use Node.js `dns.lookup()` instead of spawning `ping`). When shell execution is unavoidable, use `child_process.execFile()` or `child_process.spawn()` which do not invoke a shell and pass arguments as arrays. Never pass user input through `child_process.exec()`. Validate input against strict allowlists (e.g., only allow alphanumeric characters for hostnames). Escape shell metacharacters if you must include user input in commands. Run the application with minimal OS privileges. Use containerization and sandboxing to limit the blast radius.
Select your framework for a detailed guide on fixing Command Injection with framework-specific code examples and security checklists.
Cross-Site Scripting (XSS)
XSS allows attackers to inject malicious scripts into web pages viewed by other users, enabling session hijacking, data theft, and defacement.
SQL Injection
SQL Injection allows attackers to interfere with database queries, potentially reading, modifying, or deleting data, and in some cases executing system commands.
Cross-Site Request Forgery (CSRF)
CSRF forces authenticated users to execute unwanted actions on a web application, exploiting the trust a site has in a user's browser.
Insecure Direct Object References (IDOR)
IDOR occurs when an application exposes internal implementation objects (like database IDs) and fails to verify that users are authorized to access the referenced resource.
Broken Authentication
Broken authentication encompasses weaknesses in session management, credential handling, and identity verification that allow attackers to compromise user accounts.
Security Misconfiguration
Security misconfiguration encompasses insecure default settings, open cloud storage, verbose error messages, unnecessary features, and missing security headers.
Sensitive Data Exposure
Sensitive data exposure occurs when applications fail to adequately protect sensitive information like credentials, tokens, personal data, or financial information.
Missing Rate Limiting
Missing rate limiting allows attackers to perform brute force attacks, credential stuffing, API abuse, and denial of service by making unlimited requests.
JWT Vulnerabilities
JWT vulnerabilities include algorithm confusion, missing validation, token leakage, and improper key management that can lead to authentication bypass.
Path Traversal
Path traversal allows attackers to access files and directories stored outside the intended directory by manipulating file path references.
Server-Side Request Forgery (SSRF)
SSRF allows attackers to induce the server to make HTTP requests to arbitrary destinations, potentially accessing internal services, metadata APIs, and private networks.
File Upload Vulnerabilities
Insecure file upload handling can allow attackers to upload malicious files including web shells, malware, or files that exploit server-side processing.
Insecure Deserialization
Insecure deserialization allows attackers to manipulate serialized objects to achieve remote code execution, replay attacks, injection, or privilege escalation.
Row Level Security (RLS) Bypass
RLS bypass vulnerabilities occur when database-level access policies are missing, misconfigured, or can be circumvented, exposing data across tenant boundaries.
SafeVibe runs automated penetration tests to detect Command Injection and 14 other vulnerability types in your application.
Start Free Scan