CWE-77 Command Injection

What this means

SiteShadow flagged a pattern where untrusted input may be interpreted by a shell or command parser, allowing an attacker to alter the command being executed.

Why it matters

Attackers can run arbitrary system commands.

• RCE risk: compromise the host running the service.
• Credential theft: environment/config files and cloud metadata can be stolen.
• Lateral movement: compromised hosts are often used to pivot internally.

Safer examples

1) Don't build shell strings; pass arguments as arrays

import subprocess
subprocess.run(["git", "status"], check=True)

2) Avoid shell=True / shell execution

If you must use shell features, strictly allowlist inputs and isolate execution.

3) Use allowlists for user-controlled command choices

const allowed = new Set(["status", "version"]);
const cmd = allowed.has(req.query.cmd) ? req.query.cmd : "status";

How SiteShadow detects it (high level)

• Looks for command execution APIs and flags when request-derived data flows into command strings/args.
• Treats shell-string execution as higher risk than argument arrays.

References

• CWE-77: https://cwe.mitre.org/data/definitions/77.html

---

← Back to Vulnerability Library