CWE-74 Class Incomplete High likelihood

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

This vulnerability occurs when an application uses untrusted external input to build a command, query, or data structure for another component, but fails to properly sanitize special characters or…

Definition

What is CWE-74?

This vulnerability occurs when an application uses untrusted external input to build a command, query, or data structure for another component, but fails to properly sanitize special characters or syntax. This allows the input to alter the intended meaning or behavior when the downstream component processes it.

At its core, an injection flaw happens because software makes assumptions about what is data versus what is executable code or control syntax. When user-supplied input is not validated against these assumptions, an attacker can inject their own instructions into the data stream. This effectively tricks the downstream parser—like a database, OS shell, or interpreter—into executing those instructions, altering the program's normal control flow. Unlike other vulnerabilities that might require multiple flaws to be chained together, injection attacks are direct. They exploit the legitimate data processing channels of an application. The attacker's payload is delivered as ordinary input data, but because it contains special, un-neutralized elements, it is misinterpreted as code. This makes injection a broad and critical class of issues, encompassing SQL injection, command injection, and many others, each requiring specific sanitization techniques for the target interpreter.

Real-world impact

Real-world CVEs caused by CWE-74

CVE-2024-5184

API service using a large generative AI model allows direct prompt injection to leak hard-coded system prompts or execute other prompts.
CVE-2022-36069

Python-based dependency management tool avoids OS command injection when generating Git commands but allows injection of optional arguments with input beginning with a dash (CWE-88), potentially allowing for code execution.
CVE-1999-0067

Canonical example of OS command injection. CGI program does not neutralize "|" metacharacter when invoking a phonebook program.
CVE-2022-1509

injection of sed script syntax ("sed injection")
CVE-2020-9054

Chain: improper input validation (CWE-20) in username parameter, leading to OS command injection (CWE-78), as exploited in the wild per CISA KEV.
CVE-2021-44228

Product does not neutralize ${xyz} style expressions, allowing remote code execution. (log4shell vulnerability)

How attackers exploit it

Step-by-step attacker path

1
This example code intends to take the name of a user and list the contents of that user's home directory. It is subject to the first variant of OS command injection.
2
The $userName variable is not checked for malicious input. An attacker could set the $userName variable to an arbitrary OS command such as:
3
Which would result in $command being:
4
Since the semi-colon is a command separator in Unix, the OS would first execute the ls command, then the rm command, deleting the entire file system.
5
Also note that this example code is vulnerable to Path Traversal (CWE-22) and Untrusted Search Path (CWE-426) attacks.

Vulnerable code example

Vulnerable PHP

This example code intends to take the name of a user and list the contents of that user's home directory. It is subject to the first variant of OS command injection.

Vulnerable PHP

$userName = $_POST["user"];
  $command = 'ls -l /home/' . $userName;
  system($command);

Attacker payload

The $userName variable is not checked for malicious input. An attacker could set the $userName variable to an arbitrary OS command such as:

Attacker payload

;rm -rf /

Secure code example

Secure Perl

However, validate_name() allows filenames that begin with a "-". An adversary could supply a filename like "-aR", producing the "ls -l -aR" command (CWE-88), thereby getting a full recursive listing of the entire directory and all of its sub-directories. There are a couple possible mitigations for this weakness. One would be to refactor the code to avoid using system() altogether, instead relying on internal functions. Another option could be to add a "--" argument to the ls command, such as "ls -l --", so that any remaining arguments are treated as filenames, causing any leading "-" to be treated as part of a filename instead of another option. Another fix might be to change the regular expression used in validate_name to force the first character of the filename to be a letter or number, such as:

Secure Perl

if ($name =~ /^\w[\w\-]+$/) ...

What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.

Prevention checklist

How to prevent CWE-74

Requirements Programming languages and supporting technologies might be chosen which are not subject to these issues.
Implementation Utilize an appropriate mix of allowlist and denylist parsing to filter control-plane syntax from all input.

Detection signals

How to detect CWE-74

Automated Static Analysis High

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Plexicus auto-fix

Plexicus auto-detects CWE-74 and opens a fix PR in under 60 seconds.

Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.

Get a demo Try Plexicus free

Frequently asked questions

What is CWE-74?

How serious is CWE-74?

MITRE rates the likelihood of exploit as High — this weakness is actively exploited in the wild and should be prioritized for remediation.

What languages or platforms are affected by CWE-74?

MITRE has not specified affected platforms for this CWE — it can apply across most application stacks.

How can I prevent CWE-74?

Programming languages and supporting technologies might be chosen which are not subject to these issues. Utilize an appropriate mix of allowlist and denylist parsing to filter control-plane syntax from all input.

How does Plexicus detect and fix CWE-74?

Plexicus's SAST engine matches the data-flow signature for CWE-74 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.

Where can I learn more about CWE-74?

MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/74.html. You can also reference OWASP and NIST documentation for adjacent guidance.

Related weaknesses

Weaknesses related to CWE-74

CWE-707 Parent

Don't Let Security
Weigh You Down.

Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

What is CWE-74?

Real-world CVEs caused by CWE-74

Step-by-step attacker path

Vulnerable PHP

Secure Perl

How to prevent CWE-74

How to detect CWE-74

Plexicus auto-detects CWE-74 and opens a fix PR in under 60 seconds.

Frequently asked questions

Weaknesses related to CWE-74