Command Injection: How Attackers Execute OS Commands Through Your App

Command injection (also called OS command injection) is a vulnerability where an attacker executes arbitrary operating system commands on the server through an application that passes user input to a system shell. The attacker appends shell metacharacters to input that is concatenated into a command string.

Mapped to CWE-78 and classified under OWASP A03:2021 – Injection, command injection can give an attacker full control of the server, making it one of the highest-severity vulnerability classes (CVSS 9.8+).

Command injection is distinct from code injection: command injection targets the operating system shell, while code injection targets the application runtime (e.g., eval() in JavaScript or Python).

Applications that construct shell commands from user input are vulnerable when metacharacters like ;, |, &&, or backticks are not filtered:

// Node.js - VULNERABLE
const { exec } = require('child_process');
exec('ping -c 4 ' + userInput);

# Python - VULNERABLE
import os
os.system('ping -c 4 ' + user_input)

// Java - VULNERABLE
Runtime.getRuntime().exec("ping -c 4 " + userInput);

An attacker enters ; cat /etc/passwd as input. The resulting command becomes:

ping -c 4 ; cat /etc/passwd

The shell executes both commands: the legitimate ping and the attacker's file read. More dangerous payloads install backdoors, exfiltrate data, or pivot to other systems.

• Shellshock (2014): A command injection vulnerability in Bash itself (CVE-2014-6271) affected millions of servers. Attackers injected commands through HTTP headers processed by CGI scripts.
• Equifax (2017): While primarily a Struts vulnerability, the exploitation chain included command execution that led to the exfiltration of 147 million records.
• Node.js ecosystem: Multiple npm packages have been found vulnerable to command injection through child_process.exec() with unsanitized input, including build tools and image processors.

Command injection is often found in features that interact with the filesystem, image processing, PDF generation, DNS lookups, or any functionality that shells out to OS utilities.

CodeSlick identifies command injection patterns across all five supported languages:

• Node.js: child_process.exec(), execSync(), and spawn() with shell option and user-controlled arguments
• Python: os.system(), subprocess.call() with shell=True, os.popen()
• Java: Runtime.exec() and ProcessBuilder with user input
• Go: exec.Command() with user-controlled arguments

Findings are rated Critical (CVSS 9.8) with CWE-78 classification. CodeSlick's AI-powered fixes suggest safe alternatives like execFile() (Node.js) or subprocess.run() with argument lists (Python).