CWE-78 Base Stable High likelihood

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

OS Command Injection occurs when an application builds a system command using untrusted, external input without properly sanitizing it. This allows an attacker to inject and execute arbitrary…

Definition

What is CWE-78?

OS Command Injection occurs when an application builds a system command using untrusted, external input without properly sanitizing it. This allows an attacker to inject and execute arbitrary commands on the underlying operating system.
This vulnerability is particularly dangerous in web applications or privileged software. In a web context, an attacker can exploit it without direct system access. If the vulnerable process runs with high privileges, the attacker can execute commands with those same elevated permissions, bypassing normal security controls and significantly increasing potential damage. There are two primary scenarios. First, an application executes a fixed command but unsafely incorporates user input as an argument. An attacker can inject command separators (like ; or &) to chain malicious commands. Second, and more severe, the application directly uses user input to select and execute the entire command. This often happens when developer controls are bypassed, granting the attacker full control over what command is run.
Vulnerability Diagram CWE-78
OS Command Injection Param: file log.txt; cat /etc/shadow system() / Runtime.exec() cat $file ; → command separator | → pipe && → chain Shell executes attacker's payload Metacharacters (; | &&) split a single command into many.
Real-world impact

Real-world CVEs caused by CWE-78

  • CVE-2024-52803

    Platform for handling LLMs has OS command injection during training due to insecure use of the "Popen" function

  • CVE-2020-10987

    OS command injection in Wi-Fi router, as exploited in the wild per CISA KEV.

  • CVE-2020-10221

    Template functionality in network configuration management tool allows OS command injection, as exploited in the wild per CISA KEV.

  • CVE-2020-9054

    Chain: improper input validation (CWE-20) in username parameter, leading to OS command injection (CWE-78), as exploited in the wild per CISA KEV.

  • CVE-1999-0067

    Canonical example of OS command injection. CGI program does not neutralize "|" metacharacter when invoking a phonebook program.

  • CVE-2001-1246

    Language interpreter's mail function accepts another argument that is concatenated to a string used in a dangerous popen() call. Since there is no neutralization of this argument, both OS Command Injection (CWE-78) and Argument Injection (CWE-88) are possible.

  • CVE-2002-0061

    Web server allows command execution using "|" (pipe) character.

  • CVE-2003-0041

    FTP client does not filter "|" from filenames returned by the server, allowing for OS command injection.

How attackers exploit it

Step-by-step attacker path

  1. 1

    This example code intends to take the name of a user and list the contents of that user's home directory. It is subject to the first variant of OS command injection.

  2. 2

    The $userName variable is not checked for malicious input. An attacker could set the $userName variable to an arbitrary OS command such as:

  3. 3

    Which would result in $command being:

  4. 4

    Since the semi-colon is a command separator in Unix, the OS would first execute the ls command, then the rm command, deleting the entire file system.

  5. 5

    Also note that this example code is vulnerable to Path Traversal (CWE-22) and Untrusted Search Path (CWE-426) attacks.

Vulnerable code example

Vulnerable PHP

This example code intends to take the name of a user and list the contents of that user's home directory. It is subject to the first variant of OS command injection.

Vulnerable PHP 
$userName = $_POST["user"];
  $command = 'ls -l /home/' . $userName;
  system($command);
Attacker payload

The $userName variable is not checked for malicious input. An attacker could set the $userName variable to an arbitrary OS command such as:

Attacker payload 
;rm -rf /
Secure code example

Secure pseudo

Secure pseudo 
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Prevention checklist

How to prevent CWE-78

  • Architecture and Design If at all possible, use library calls rather than external processes to recreate the desired functionality.
  • Architecture and Design / Operation Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.
  • Architecture and Design For any data that will be used to generate a command to be executed, keep as much of that data out of external control as possible. For example, in web applications, this may require storing the data locally in the session's state instead of sending it out to the client in a hidden form field.
  • Architecture and Design For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
  • Architecture and Design Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error.
  • Implementation While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).
  • Implementation If the program to be executed allows arguments to be specified within an input file or from standard input, then consider using that mode to pass arguments instead of the command line.
  • Architecture and Design If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated. Some languages offer multiple functions that can be used to invoke commands. Where possible, identify any function that invokes a command shell using a single string, and replace it with a function that requires individual arguments. These functions typically perform appropriate quoting and filtering of arguments. For example, in C, the system() function accepts a string that contains the entire command to be executed, whereas execl(), execve(), and others require an array of strings, one for each argument. In Windows, CreateProcess() only accepts one command at a time. In Perl, if system() is provided with an array of arguments, then it will quote each of the arguments.
Detection signals

How to detect CWE-78

Automated Static Analysis

This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes. Automated static analysis might not be able to detect the usage of custom API functions or third-party libraries that indirectly invoke OS commands, leading to false negatives - especially if the API/library code is not available for analysis.

Automated Dynamic Analysis Moderate

This weakness can be detected using dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.

Manual Static Analysis High

Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints.

Automated Static Analysis - Binary or Bytecode High

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis

Dynamic Analysis with Automated Results Interpretation SOAR Partial

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Web Application Scanner Web Services Scanner Database Scanners

Dynamic Analysis with Manual Results Interpretation SOAR Partial

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Fuzz Tester Framework-based Fuzzer

Plexicus auto-fix

Plexicus auto-detects CWE-78 and opens a fix PR in under 60 seconds.

Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.

Get a demo Try Plexicus free
Frequently asked questions

Frequently asked questions

What is CWE-78?

OS Command Injection occurs when an application builds a system command using untrusted, external input without properly sanitizing it. This allows an attacker to inject and execute arbitrary commands on the underlying operating system.

How serious is CWE-78?

MITRE rates the likelihood of exploit as High — this weakness is actively exploited in the wild and should be prioritized for remediation.

What languages or platforms are affected by CWE-78?

MITRE lists the following affected platforms: AI/ML.

How can I prevent CWE-78?

If at all possible, use library calls rather than external processes to recreate the desired functionality. Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some…

How does Plexicus detect and fix CWE-78?

Plexicus's SAST engine matches the data-flow signature for CWE-78 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.

Where can I learn more about CWE-78?

MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/78.html. You can also reference OWASP and NIST documentation for adjacent guidance.

Related weaknesses

Weaknesses related to CWE-78

CWE-77 Parent

Improper Neutralization of Special Elements used in a Command ('Command Injection')

This vulnerability occurs when an application builds a system command using untrusted user input without properly sanitizing it. An…

CWE-1427 Sibling

Improper Neutralization of Input Used for LLM Prompting

This vulnerability occurs when an application builds prompts for a Large Language Model (LLM) using external data, but does so in a way…

CWE-624 Sibling

Executable Regular Expression Error

This vulnerability occurs when an application uses a regular expression that can execute code, either because it directly contains…

CWE-88 Sibling

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

This vulnerability occurs when an application builds a command string for execution by another component, but fails to properly separate…

CWE-917 Sibling

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

Expression Language Injection occurs when an application uses untrusted, external input to build an expression language statement—common…

Resources

Further reading

Ready when you are

Don't Let Security
Weigh You Down.

Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.