Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
CWE-74 Classe Incomplet
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
This vulnerability occurs when an application uses untrusted external input to build a command, query, or data structure for another component, but fails to properly sanitize special characters or…
Définition
What is CWE-74?
This vulnerability occurs when an application uses untrusted external input to build a command, query, or data structure for another component, but fails to properly sanitize special characters or syntax. This allows the input to alter the intended meaning or behavior when the downstream component processes it.
At its core, an injection flaw happens because software makes assumptions about what is data versus what is executable code or control syntax. When user-supplied input is not validated against these assumptions, an attacker can inject their own instructions into the data stream. This effectively tricks the downstream parser—like a database, OS shell, or interpreter—into executing those instructions, altering the program's normal control flow.
Unlike other vulnerabilities that might require multiple flaws to be chained together, injection attacks are direct. They exploit the legitimate data processing channels of an application. The attacker's payload is delivered as ordinary input data, but because it contains special, un-neutralized elements, it is misinterpreted as code. This makes injection a broad and critical class of issues, encompassing SQL injection, command injection, and many others, each requiring specific sanitization techniques for the target interpreter.
Impact réel
Real-world CVEs caused by CWE-74
-
API service using a large generative AI model allows direct prompt injection to leak hard-coded system prompts or execute other prompts.
-
Python-based dependency management tool avoids OS command injection when generating Git commands but allows injection of optional arguments with input beginning with a dash (CWE-88), potentially allowing for code execution.
-
Canonical example of OS command injection. CGI program does not neutralize "|" metacharacter when invoking a phonebook program.
-
injection of sed script syntax ("sed injection")
-
Chain: improper input validation (CWE-20) in username parameter, leading to OS command injection (CWE-78), as exploited in the wild per CISA KEV.
-
Product does not neutralize ${xyz} style expressions, allowing remote code execution. (log4shell vulnerability)
Comment les attaquants l'exploitent
Parcours de l'attaquant étape par étape
- 1
This example code intends to take the name of a user and list the contents of that user's home directory. It is subject to the first variant of OS command injection.
- 2
The $userName variable is not checked for malicious input. An attacker could set the $userName variable to an arbitrary OS command such as:
- 3
Which would result in $command being:
- 4
Since the semi-colon is a command separator in Unix, the OS would first execute the ls command, then the rm command, deleting the entire file system.
- 5
Also note that this example code is vulnerable to Path Traversal (CWE-22) and Untrusted Search Path (CWE-426) attacks.
Exemple de code vulnérable
Vulnerable PHP
This example code intends to take the name of a user and list the contents of that user's home directory. It is subject to the first variant of OS command injection.
$userName = $_POST["user"];
$command = 'ls -l /home/' . $userName;
system($command); Charge utile de l'attaquant
The $userName variable is not checked for malicious input. An attacker could set the $userName variable to an arbitrary OS command such as:
;rm -rf / Exemple de code sécurisé
Secure Perl
However, validate_name() allows filenames that begin with a "-". An adversary could supply a filename like "-aR", producing the "ls -l -aR" command (CWE-88), thereby getting a full recursive listing of the entire directory and all of its sub-directories. There are a couple possible mitigations for this weakness. One would be to refactor the code to avoid using system() altogether, instead relying on internal functions. Another option could be to add a "--" argument to the ls command, such as "ls -l --", so that any remaining arguments are treated as filenames, causing any leading "-" to be treated as part of a filename instead of another option. Another fix might be to change the regular expression used in validate_name to force the first character of the filename to be a letter or number, such as:
if ($name =~ /^\w[\w\-]+$/) ... What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Liste de contrôle de prévention
How to prevent CWE-74
- Requirements Programming languages and supporting technologies might be chosen which are not subject to these issues.
- Implementation Utilize an appropriate mix of allowlist and denylist parsing to filter control-plane syntax from all input.
Signaux de détection
How to detect CWE-74
Plexicus détecte automatiquement CWE-74 et ouvre une PR de correction en moins de 60 secondes.
Codex Remedium analyse chaque commit, identifie cette faiblesse précise et livre une pull request prête à être relue avec le correctif. Pas de tickets. Pas de transferts.
Questions fréquentes Qu'est-ce que CWE-74 ?
Quelle est la gravité de CWE-74 ?
Quels langages ou plateformes sont affectés par CWE-74 ?
Comment puis-je prévenir CWE-74 ?
Comment Plexicus détecte et corrige CWE-74 ?
Où puis-je en savoir plus sur CWE-74 ?
Frequently asked questions
Qu'est-ce que CWE-74 ?
This vulnerability occurs when an application uses untrusted external input to build a command, query, or data structure for another component, but fails to properly sanitize special characters or syntax. This allows the input to alter the intended meaning or behavior when the downstream component processes it.
Quelle est la gravité de CWE-74 ?
MITRE évalue la probabilité d'exploitation comme Élevée — cette faiblesse est activement exploitée et doit être priorisée pour la remédiation.
Quels langages ou plateformes sont affectés par CWE-74 ?
MITRE n'a pas spécifié les plateformes affectées pour ce CWE — il peut s'appliquer à la plupart des stacks applicatives.
Comment puis-je prévenir CWE-74 ?
Programming languages and supporting technologies might be chosen which are not subject to these issues. Utilize an appropriate mix of allowlist and denylist parsing to filter control-plane syntax from all input.
Comment Plexicus détecte et corrige CWE-74 ?
Le moteur SAST de Plexicus reconnaît la signature de flux de données de CWE-74 à chaque commit. Lorsqu'une correspondance est trouvée, notre agent Codex Remedium ouvre une PR de correction avec le code corrigé, les tests et un résumé d'une ligne pour le relecteur.
Où puis-je en savoir plus sur CWE-74 ?
MITRE publie la définition canonique à https://cwe.mitre.org/data/definitions/74.html. Vous pouvez également consulter la documentation OWASP et NIST pour des conseils adjacents.
Faiblesses associées
Weaknesses related to CWE-74
CWE-707 Parent
Improper Neutralization
This vulnerability occurs when an application fails to properly validate or sanitize structured data before it's received from an external…
CWE-116 Frère
Improper Encoding or Escaping of Output
This vulnerability occurs when an application builds a structured message—like a query, command, or request—for another component but…
CWE-138 Frère
Improper Neutralization of Special Elements
This vulnerability occurs when an application accepts external input but fails to properly sanitize special characters or syntax that have…
CWE-1426 Frère
Improper Validation of Generative AI Output
This vulnerability occurs when an application uses a generative AI model (like an LLM) but fails to properly check the AI's output before…
CWE-170 Frère
Improper Null Termination
This weakness occurs when software fails to properly end a string or array with the required null character or equivalent terminator.
CWE-172 Frère
Encoding Error
This vulnerability occurs when software incorrectly transforms data between different formats, leading to corrupted or misinterpreted…
CWE-182 Frère
Collapse of Data into Unsafe Value
This vulnerability occurs when an application's data filtering or transformation process incorrectly merges or simplifies information,…
CWE-20 Frère
Improper Input Validation
This vulnerability occurs when an application accepts data from an external source but fails to properly verify that the data is safe and…
CWE-228 Frère
Improper Handling of Syntactically Invalid Structure
This vulnerability occurs when software fails to properly reject or process input that doesn't follow the expected format or structure,…
Prêt quand vous l'êtes
Arrêtez de payer par développeur.
Commencez à fermer la boucle.
Plexicus est l'ASPM natif IA qui scanne, filtre, corrige, penteste et explique — de façon autonome. Développeurs illimités, dépôts illimités, actions IA à usage équitable. Vrai niveau gratuit, €269/mo annuel quand vous êtes prêt.