CWE-74 Clase Incompleto High likelihood

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

This vulnerability occurs when an application uses untrusted external input to build a command, query, or data structure for another component, but fails to properly sanitize special characters or…

Definición

What is CWE-74?

This vulnerability occurs when an application uses untrusted external input to build a command, query, or data structure for another component, but fails to properly sanitize special characters or syntax. This allows the input to alter the intended meaning or behavior when the downstream component processes it.
At its core, an injection flaw happens because software makes assumptions about what is data versus what is executable code or control syntax. When user-supplied input is not validated against these assumptions, an attacker can inject their own instructions into the data stream. This effectively tricks the downstream parser—like a database, OS shell, or interpreter—into executing those instructions, altering the program's normal control flow. Unlike other vulnerabilities that might require multiple flaws to be chained together, injection attacks are direct. They exploit the legitimate data processing channels of an application. The attacker's payload is delivered as ordinary input data, but because it contains special, un-neutralized elements, it is misinterpreted as code. This makes injection a broad and critical class of issues, encompassing SQL injection, command injection, and many others, each requiring specific sanitization techniques for the target interpreter.
Impacto en el mundo real

Real-world CVEs caused by CWE-74

  • CVE-2024-5184

    API service using a large generative AI model allows direct prompt injection to leak hard-coded system prompts or execute other prompts.

  • CVE-2022-36069

    Python-based dependency management tool avoids OS command injection when generating Git commands but allows injection of optional arguments with input beginning with a dash (CWE-88), potentially allowing for code execution.

  • CVE-1999-0067

    Canonical example of OS command injection. CGI program does not neutralize "|" metacharacter when invoking a phonebook program.

  • CVE-2022-1509

    injection of sed script syntax ("sed injection")

  • CVE-2020-9054

    Chain: improper input validation (CWE-20) in username parameter, leading to OS command injection (CWE-78), as exploited in the wild per CISA KEV.

  • CVE-2021-44228

    Product does not neutralize ${xyz} style expressions, allowing remote code execution. (log4shell vulnerability)

Cómo lo explotan los atacantes

Ruta del atacante paso a paso

  1. 1

    This example code intends to take the name of a user and list the contents of that user's home directory. It is subject to the first variant of OS command injection.

  2. 2

    The $userName variable is not checked for malicious input. An attacker could set the $userName variable to an arbitrary OS command such as:

  3. 3

    Which would result in $command being:

  4. 4

    Since the semi-colon is a command separator in Unix, the OS would first execute the ls command, then the rm command, deleting the entire file system.

  5. 5

    Also note that this example code is vulnerable to Path Traversal (CWE-22) and Untrusted Search Path (CWE-426) attacks.

Ejemplo de código vulnerable

Vulnerable PHP

This example code intends to take the name of a user and list the contents of that user's home directory. It is subject to the first variant of OS command injection.

Vulnerable PHP 
$userName = $_POST["user"];
  $command = 'ls -l /home/' . $userName;
  system($command);
Payload del atacante

The $userName variable is not checked for malicious input. An attacker could set the $userName variable to an arbitrary OS command such as:

Payload del atacante 
;rm -rf /
Ejemplo de código seguro

Secure Perl

However, validate_name() allows filenames that begin with a "-". An adversary could supply a filename like "-aR", producing the "ls -l -aR" command (CWE-88), thereby getting a full recursive listing of the entire directory and all of its sub-directories. There are a couple possible mitigations for this weakness. One would be to refactor the code to avoid using system() altogether, instead relying on internal functions. Another option could be to add a "--" argument to the ls command, such as "ls -l --", so that any remaining arguments are treated as filenames, causing any leading "-" to be treated as part of a filename instead of another option. Another fix might be to change the regular expression used in validate_name to force the first character of the filename to be a letter or number, such as:

Seguro Perl 
if ($name =~ /^\w[\w\-]+$/) ...
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de prevención

How to prevent CWE-74

  • Requirements Programming languages and supporting technologies might be chosen which are not subject to these issues.
  • Implementation Utilize an appropriate mix of allowlist and denylist parsing to filter control-plane syntax from all input.
Señales de detección

How to detect CWE-74

Automated Static Analysis High

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Auto-corrección de Plexicus

Plexicus detecta automáticamente CWE-74 y abre un PR de corrección en menos de 60 segundos.

Codex Remedium escanea cada commit, identifica esta debilidad concreta y entrega un pull request listo para revisión con el parche. Sin tickets. Sin traspasos.

Solicitar demo Probar Plexicus gratis
Preguntas frecuentes

Frequently asked questions

¿Qué es CWE-74?

This vulnerability occurs when an application uses untrusted external input to build a command, query, or data structure for another component, but fails to properly sanitize special characters or syntax. This allows the input to alter the intended meaning or behavior when the downstream component processes it.

¿Qué gravedad tiene CWE-74?

MITRE califica la probabilidad de explotación como Alta — esta debilidad se explota activamente en la práctica y debe priorizarse para su remediación.

¿Qué lenguajes o plataformas se ven afectados por CWE-74?

MITRE no ha especificado plataformas afectadas para esta CWE — puede aplicar a la mayoría de los stacks de aplicaciones.

¿Cómo puedo prevenir CWE-74?

Programming languages and supporting technologies might be chosen which are not subject to these issues. Utilize an appropriate mix of allowlist and denylist parsing to filter control-plane syntax from all input.

¿Cómo detecta y corrige Plexicus CWE-74?

El motor SAST de Plexicus detecta la firma de flujo de datos para CWE-74 en cada commit. Cuando hay coincidencia, nuestro agente Codex Remedium abre un PR de corrección con el código corregido, las pruebas y un resumen de una línea para el revisor.

¿Dónde puedo aprender más sobre CWE-74?

MITRE publica la definición canónica en https://cwe.mitre.org/data/definitions/74.html. También puedes consultar la documentación de OWASP y NIST para guías relacionadas.

Debilidades relacionadas

Weaknesses related to CWE-74

CWE-707 Padre

Improper Neutralization

This vulnerability occurs when an application fails to properly validate or sanitize structured data before it's received from an external…

CWE-116 Hermano

Improper Encoding or Escaping of Output

This vulnerability occurs when an application builds a structured message—like a query, command, or request—for another component but…

CWE-138 Hermano

Improper Neutralization of Special Elements

This vulnerability occurs when an application accepts external input but fails to properly sanitize special characters or syntax that have…

CWE-1426 Hermano

Improper Validation of Generative AI Output

This vulnerability occurs when an application uses a generative AI model (like an LLM) but fails to properly check the AI's output before…

CWE-170 Hermano

Improper Null Termination

This weakness occurs when software fails to properly end a string or array with the required null character or equivalent terminator.

CWE-172 Hermano

Encoding Error

This vulnerability occurs when software incorrectly transforms data between different formats, leading to corrupted or misinterpreted…

CWE-182 Hermano

Collapse of Data into Unsafe Value

This vulnerability occurs when an application's data filtering or transformation process incorrectly merges or simplifies information,…

CWE-20 Hermano

Improper Input Validation

This vulnerability occurs when an application accepts data from an external source but fails to properly verify that the data is safe and…

CWE-228 Hermano

Improper Handling of Syntactically Invalid Structure

This vulnerability occurs when software fails to properly reject or process input that doesn't follow the expected format or structure,…

Recursos

Further reading

Listo cuando tú lo estés

Deja de pagar por desarrollador.
Empieza a cerrar el bucle.

Plexicus es el ASPM nativo de IA que escanea, filtra, corrige, pentestea y explica — de forma autónoma. Desarrolladores ilimitados, repos ilimitados, acciones de IA de uso justo. Nivel gratuito real, €269/mo anual cuando estés listo.

Comenzar gratis Reservar una demo