Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
CWE-94 Base Brouillon
Improper Control of Generation of Code ('Code Injection')
This vulnerability occurs when an application builds executable code using unvalidated external input, such as user data. Because the application fails to properly filter or escape this input, an…
Définition
What is CWE-94?
This vulnerability occurs when an application builds executable code using unvalidated external input, such as user data. Because the application fails to properly filter or escape this input, an attacker can inject special characters or commands that alter the intended code's logic or syntax.
Code injection happens when user-supplied data is directly incorporated into dynamically generated code, like SQL queries, OS commands, or script blocks. Attackers exploit this by crafting inputs containing command delimiters or code syntax, tricking the application into executing unintended instructions. This can lead to data theft, system takeover, or complete compromise of the application's environment.
To prevent this, developers must strictly separate code from data. Use parameterized queries for databases, prepared statements, or safe API calls that automatically handle escaping. Never concatenate raw user input into executable strings. Input validation is also critical, but it should be a secondary defense, as proper use of secure coding interfaces is the most reliable way to neutralize injection risks.
Impact réel
Real-world CVEs caused by CWE-94
-
Math component in an LLM framework translates user input into a Python expression that is input into the Python exec() method, allowing code execution - one variant of a "prompt injection" attack.
-
Python-based library uses an LLM prompt containing user input to dynamically generate code that is then fed as input into the Python exec() method, allowing code execution - one variant of a "prompt injection" attack.
-
Framework for LLM applications allows eval injection via a crafted response from a hosting provider.
-
Python compiler uses eval() to execute malicious strings as Python code.
-
Chain: regex in EXIF processor code does not correctly determine where a string ends (CWE-625), enabling eval injection (CWE-95), as exploited in the wild per CISA KEV.
-
"Code injection" in VPN product, as exploited in the wild per CISA KEV.
-
Eval injection in PHP program.
-
Eval injection in Perl program.
Comment les attaquants l'exploitent
Parcours de l'attaquant étape par étape
- 1
This example attempts to write user messages to a message file and allow users to view them.
- 2
While the programmer intends for the MessageFile to only include data, an attacker can provide a message such as:
- 3
which will decode to the following:
- 4
The programmer thought they were just including the contents of a regular data file, but PHP parsed it and executed the code. Now, this code is executed any time people view messages.
- 5
Notice that XSS (CWE-79) is also possible in this situation.
Exemple de code vulnérable
Vulnerable PHP
This example attempts to write user messages to a message file and allow users to view them.
$MessageFile = "messages.out";
if ($_GET["action"] == "NewMessage") {
$name = $_GET["name"];
$message = $_GET["message"];
$handle = fopen($MessageFile, "a+");
fwrite($handle, "<b>$name</b> says '$message'<hr>\n");
fclose($handle);
echo "Message Saved!<p>\n";
}
else if ($_GET["action"] == "ViewMessages") {
include($MessageFile);
} Charge utile de l'attaquant
While the programmer intends for the MessageFile to only include data, an attacker can provide a message such as:
name=h4x0r
message=%3C?php%20system(%22/bin/ls%20-l%22);?%3E Exemple de code sécurisé
Secure Python
A way to accomplish this without the use of eval() is to apply an integer conversion on the input within a try/except block. If the user-supplied input is not numeric, this will raise a ValueError. By avoiding eval(), there is no opportunity for the input string to be executed as code.
def main():
sum = 0
numbers = input("Enter a space-separated list of numbers: ").split(" ")
try:
for num in numbers:
sum = sum + int(num)
print(f"Sum of {numbers} = {sum}")
except ValueError:
print("Error: invalid input")
main() What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Liste de contrôle de prévention
How to prevent CWE-94
- Architecture and Design Refactor your program so that you do not have to dynamically generate code.
- Architecture and Design Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.
- Implementation Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. To reduce the likelihood of code injection, use stringent allowlists that limit which constructs are allowed. If you are dynamically constructing code that invokes a function, then verifying that the input is alphanumeric might be insufficient. An attacker might still be able to reference a dangerous function that you did not intend to allow, such as system(), exec(), or exit().
- Testing Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible.
- Testing Use dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
- Operation Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).
- Operation Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).
- Implementation For Python programs, it is frequently encouraged to use the ast.literal_eval() function instead of eval, since it is intentionally designed to avoid executing code. However, an adversary could still cause excessive memory or stack consumption via deeply nested structures [REF-1372], so the python documentation discourages use of ast.literal_eval() on untrusted data [REF-1373].
Signaux de détection
How to detect CWE-94
Plexicus détecte automatiquement CWE-94 et ouvre une PR de correction en moins de 60 secondes.
Codex Remedium analyse chaque commit, identifie cette faiblesse précise et livre une pull request prête à être relue avec le correctif. Pas de tickets. Pas de transferts.
Questions fréquentes Qu'est-ce que CWE-94 ?
Quelle est la gravité de CWE-94 ?
Quels langages ou plateformes sont affectés par CWE-94 ?
Comment puis-je prévenir CWE-94 ?
Comment Plexicus détecte et corrige CWE-94 ?
Où puis-je en savoir plus sur CWE-94 ?
Frequently asked questions
Qu'est-ce que CWE-94 ?
This vulnerability occurs when an application builds executable code using unvalidated external input, such as user data. Because the application fails to properly filter or escape this input, an attacker can inject special characters or commands that alter the intended code's logic or syntax.
Quelle est la gravité de CWE-94 ?
MITRE évalue la probabilité d'exploitation comme Moyenne — l'exploitation est réaliste mais nécessite généralement des conditions spécifiques.
Quels langages ou plateformes sont affectés par CWE-94 ?
MITRE lists the following affected platforms: Interpreted, AI/ML.
Comment puis-je prévenir CWE-94 ?
Refactor your program so that you do not have to dynamically generate code. Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of…
Comment Plexicus détecte et corrige CWE-94 ?
Le moteur SAST de Plexicus reconnaît la signature de flux de données de CWE-94 à chaque commit. Lorsqu'une correspondance est trouvée, notre agent Codex Remedium ouvre une PR de correction avec le code corrigé, les tests et un résumé d'une ligne pour le relecteur.
Où puis-je en savoir plus sur CWE-94 ?
MITRE publie la définition canonique à https://cwe.mitre.org/data/definitions/94.html. Vous pouvez également consulter la documentation OWASP et NIST pour des conseils adjacents.
Faiblesses associées
Weaknesses related to CWE-94
CWE-74 Parent
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
This vulnerability occurs when an application uses untrusted external input to build a command, query, or data structure for another…
CWE-1236 Frère
Improper Neutralization of Formula Elements in a CSV File
This vulnerability occurs when an application writes user-supplied data into a CSV file without properly sanitizing special characters.…
CWE-75 Frère
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
This vulnerability occurs when an application fails to properly filter or encode user-supplied data containing special characters or…
CWE-77 Frère
Improper Neutralization of Special Elements used in a Command ('Command Injection')
This vulnerability occurs when an application builds a system command using untrusted user input without properly sanitizing it. An…
CWE-78 Frère
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
OS Command Injection occurs when an application builds a system command using untrusted, external input without properly sanitizing it.…
CWE-79 Frère
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
This vulnerability occurs when a web application fails to properly sanitize or encode user-supplied input before displaying it on a…
CWE-88 Frère
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
This vulnerability occurs when an application builds a command string for execution by another component, but fails to properly separate…
CWE-89 Frère
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
SQL Injection occurs when an application builds a database query using untrusted user input without properly sanitizing it. This allows an…
CWE-91 Frère
XML Injection (aka Blind XPath Injection)
XML Injection occurs when an application fails to properly validate or escape user-controlled input before including it in XML documents…
Ressources
Further reading
- MITRE — CWE-94 officiel https://cwe.mitre.org/data/definitions/94.html
- How ast.literal_eval can cause memory exhaustion https://www.reddit.com/r/learnpython/comments/zmbhcf/how_astliteral_eval_can_cause_memory_exhaustion/
- ast - Abstract Syntax Trees https://docs.python.org/3/library/ast.html#ast.literal_eval
Prêt quand vous l'êtes
Arrêtez de payer par développeur.
Commencez à fermer la boucle.
Plexicus est l'ASPM natif IA qui scanne, filtre, corrige, penteste et explique — de façon autonome. Développeurs illimités, dépôts illimités, actions IA à usage équitable. Vrai niveau gratuit, €269/mo annuel quand vous êtes prêt.