CWE-78 · Improper Neutralization of Special Elements used in an OS Command

OS Command Injection

CWE-78 3 case studies

OS Command Injection occurs when user-controlled strings are incorporated into shell command construction — via exec(), spawn() with shell:true, or similar APIs — without adequate escaping. Attackers inject shell metacharacters (;, |, &&, $(), backticks) to append their own commands to the legitimate one.

It is surprisingly common in developer tools and build pipelines, where passing user-specified package names, paths, or version strings to a CLI tool seems natural. The React Native CLI vulnerability (CVE-2025-11953) is a canonical example: a package name that looked like a benign string was passed to a shell command and could contain ; followed by arbitrary shell code.

PullLight looks for exec/spawn calls where the shell option is true or where command arguments are string-concatenated from any user-input source, including CLI arguments, package names from config files, and URL parameters.

Case studies in this class

9.8

CVSS

CVE-2024-23897

CLI Argument Injection via args4j expandAtFiles()

CVE-2024-23897 — Jenkins CLI Argument Injection

OS Command Injection via CLI Package Installation

CVE-2025-11953 — React Native CLI Command Injection

@react-native-community/cli

SQL Injection leading to OS Command Execution via timeZone

CVE-2026-46624 — Twenty CRM SQLi to RCE

twentyhq/twenty

→

Frequently asked questions

What is OS Command Injection?

OS Command Injection happens when untrusted data is concatenated into a shell command string. Attackers use shell metacharacters to break out of the intended argument and inject arbitrary commands that run with the server process's privileges.

How do you prevent OS Command Injection?

Use execFile() or spawn() with an argument array (never shell:true) rather than exec() with a string. Validate command arguments against a strict allowlist. Never build command strings by concatenating user input.

Can AI catch OS Command Injection in code review?

Yes — AI review identifies spawn/exec calls with string arguments that include any user-controlled value, even when the injection point is in a utility function far from the call site.

Has PullLight caught real OS Command Injection?

Yes. PullLight flagged OS Command Injection in @react-native-community/cli (CVE-2025-11953, CVSS 9.8, CISA KEV) and in Twenty CRM where SQLi chained to OS command execution (CVE-2026-46624, CVSS 9.1).

PullLight catches OS Command Injection in live code review.
Hooks into GitHub PRs automatically — flags taint flows, not just lint rules.

Try the live demo →

See an example review comment: Browse AI code review examples →