Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
CWE-74 Class Incomplete
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
This vulnerability occurs when an application uses untrusted external input to build a command, query, or data structure for another component, but fails to properly sanitize special characters or…
Definition
What is CWE-74?
This vulnerability occurs when an application uses untrusted external input to build a command, query, or data structure for another component, but fails to properly sanitize special characters or syntax. This allows the input to alter the intended meaning or behavior when the downstream component processes it.
At its core, an injection flaw happens because software makes assumptions about what is data versus what is executable code or control syntax. When user-supplied input is not validated against these assumptions, an attacker can inject their own instructions into the data stream. This effectively tricks the downstream parser—like a database, OS shell, or interpreter—into executing those instructions, altering the program's normal control flow.
Unlike other vulnerabilities that might require multiple flaws to be chained together, injection attacks are direct. They exploit the legitimate data processing channels of an application. The attacker's payload is delivered as ordinary input data, but because it contains special, un-neutralized elements, it is misinterpreted as code. This makes injection a broad and critical class of issues, encompassing SQL injection, command injection, and many others, each requiring specific sanitization techniques for the target interpreter.
Auswirkungen in der Praxis
Real-world CVEs caused by CWE-74
-
API service using a large generative AI model allows direct prompt injection to leak hard-coded system prompts or execute other prompts.
-
Python-based dependency management tool avoids OS command injection when generating Git commands but allows injection of optional arguments with input beginning with a dash (CWE-88), potentially allowing for code execution.
-
Canonical example of OS command injection. CGI program does not neutralize "|" metacharacter when invoking a phonebook program.
-
injection of sed script syntax ("sed injection")
-
Chain: improper input validation (CWE-20) in username parameter, leading to OS command injection (CWE-78), as exploited in the wild per CISA KEV.
-
Product does not neutralize ${xyz} style expressions, allowing remote code execution. (log4shell vulnerability)
Wie Angreifer es ausnutzen
Angreiferpfad Schritt für Schritt
- 1
This example code intends to take the name of a user and list the contents of that user's home directory. It is subject to the first variant of OS command injection.
- 2
The $userName variable is not checked for malicious input. An attacker could set the $userName variable to an arbitrary OS command such as:
- 3
Which would result in $command being:
- 4
Since the semi-colon is a command separator in Unix, the OS would first execute the ls command, then the rm command, deleting the entire file system.
- 5
Also note that this example code is vulnerable to Path Traversal (CWE-22) and Untrusted Search Path (CWE-426) attacks.
Verwundbares Codebeispiel
Vulnerable PHP
This example code intends to take the name of a user and list the contents of that user's home directory. It is subject to the first variant of OS command injection.
$userName = $_POST["user"];
$command = 'ls -l /home/' . $userName;
system($command); Angreifer-Payload
The $userName variable is not checked for malicious input. An attacker could set the $userName variable to an arbitrary OS command such as:
;rm -rf / Sicheres Codebeispiel
Secure Perl
However, validate_name() allows filenames that begin with a "-". An adversary could supply a filename like "-aR", producing the "ls -l -aR" command (CWE-88), thereby getting a full recursive listing of the entire directory and all of its sub-directories. There are a couple possible mitigations for this weakness. One would be to refactor the code to avoid using system() altogether, instead relying on internal functions. Another option could be to add a "--" argument to the ls command, such as "ls -l --", so that any remaining arguments are treated as filenames, causing any leading "-" to be treated as part of a filename instead of another option. Another fix might be to change the regular expression used in validate_name to force the first character of the filename to be a letter or number, such as:
if ($name =~ /^\w[\w\-]+$/) ... What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Präventions-Checkliste
How to prevent CWE-74
- Requirements Programming languages and supporting technologies might be chosen which are not subject to these issues.
- Implementation Utilize an appropriate mix of allowlist and denylist parsing to filter control-plane syntax from all input.
Erkennungssignale
How to detect CWE-74
Plexicus erkennt CWE-74 automatisch und öffnet in unter 60 Sekunden einen Fix-PR.
Codex Remedium scannt jeden Commit, identifiziert genau diese Schwachstelle und liefert einen reviewer-ready Pull Request mit dem Patch. Keine Tickets. Keine Hand-offs.
Häufig gestellte Fragen Was ist CWE-74?
Wie gravierend ist CWE-74?
Welche Sprachen oder Plattformen sind von CWE-74 betroffen?
Wie kann ich CWE-74 verhindern?
Wie erkennt und behebt Plexicus CWE-74?
Wo erfahre ich mehr über CWE-74?
Frequently asked questions
Was ist CWE-74?
This vulnerability occurs when an application uses untrusted external input to build a command, query, or data structure for another component, but fails to properly sanitize special characters or syntax. This allows the input to alter the intended meaning or behavior when the downstream component processes it.
Wie gravierend ist CWE-74?
MITRE stuft die Exploit-Wahrscheinlichkeit als hoch ein — diese Schwachstelle wird aktiv in freier Wildbahn ausgenutzt und sollte priorisiert behoben werden.
Welche Sprachen oder Plattformen sind von CWE-74 betroffen?
MITRE hat für diese CWE keine betroffenen Plattformen spezifiziert — sie kann in den meisten Anwendungs-Stacks auftreten.
Wie kann ich CWE-74 verhindern?
Programming languages and supporting technologies might be chosen which are not subject to these issues. Utilize an appropriate mix of allowlist and denylist parsing to filter control-plane syntax from all input.
Wie erkennt und behebt Plexicus CWE-74?
Die SAST-Engine von Plexicus erkennt die Datenfluss-Signatur von CWE-74 bei jedem Commit. Bei einem Treffer öffnet unser Codex-Remedium-Agent einen Fix-PR mit korrigiertem Code, Tests und einer einzeiligen Zusammenfassung für den Reviewer.
Wo erfahre ich mehr über CWE-74?
MITRE veröffentlicht die kanonische Definition unter https://cwe.mitre.org/data/definitions/74.html. Für ergänzende Hinweise kannst du auch die OWASP- und NIST-Dokumentation heranziehen.
Verwandte Schwachstellen
Weaknesses related to CWE-74
CWE-707 Parent
Improper Neutralization
This vulnerability occurs when an application fails to properly validate or sanitize structured data before it's received from an external…
CWE-116 Sibling
Improper Encoding or Escaping of Output
This vulnerability occurs when an application builds a structured message—like a query, command, or request—for another component but…
CWE-138 Sibling
Improper Neutralization of Special Elements
This vulnerability occurs when an application accepts external input but fails to properly sanitize special characters or syntax that have…
CWE-1426 Sibling
Improper Validation of Generative AI Output
This vulnerability occurs when an application uses a generative AI model (like an LLM) but fails to properly check the AI's output before…
CWE-170 Sibling
Improper Null Termination
This weakness occurs when software fails to properly end a string or array with the required null character or equivalent terminator.
CWE-172 Sibling
Encoding Error
This vulnerability occurs when software incorrectly transforms data between different formats, leading to corrupted or misinterpreted…
CWE-182 Sibling
Collapse of Data into Unsafe Value
This vulnerability occurs when an application's data filtering or transformation process incorrectly merges or simplifies information,…
CWE-20 Sibling
Improper Input Validation
This vulnerability occurs when an application accepts data from an external source but fails to properly verify that the data is safe and…
CWE-228 Sibling
Improper Handling of Syntactically Invalid Structure
This vulnerability occurs when software fails to properly reject or process input that doesn't follow the expected format or structure,…
Bereit, wenn du es bist
Schluss mit dem Bezahlen pro Entwickler.
Schließ den Kreislauf.
Plexicus ist die KI-native ASPM, die scannt, filtert, fixt, pentestet und erklärt — autonom. Unbegrenzte Entwickler, unbegrenzte Repos, Fair-Use-KI-Aktionen. Echter kostenloser Tarif, €269/mo jährlich, wenn du bereit bist.