OS Command Injection
User input is interpolated into a shell command, letting the attacker execute arbitrary commands on the host.
GateTest coverage
Caught by: security, crossFileTaint
Example
exec('convert ' + req.body.filename + ' output.png')How to fix it
Use exec/spawn variants that take an args ARRAY (not a shell string) so arguments can't be reinterpreted. Validate filenames against an allowlist. Never pass req.body / req.query / req.params straight into a shell.
Scan your repo for CWE-78
Free preview of findings. Pay per scan — no subscription. AI auto-fix PR included on the Scan + Fix tier.
Frequently asked questions
What is CWE-78 (OS Command Injection)?
User input is interpolated into a shell command, letting the attacker execute arbitrary commands on the host.
How do I fix os command injection?
Use exec/spawn variants that take an args ARRAY (not a shell string) so arguments can't be reinterpreted. Validate filenames against an allowlist. Never pass req.body / req.query / req.params straight into a shell.
Does GateTest detect os command injection?
Yes — GateTest's security, crossFileTaint modules catch this class. Findings appear in the standard scan output with file and line numbers. On Scan + Fix and Forensic Scan tiers, Claude opens a pull request with the fix.
What rank is OS Command Injection in the CWE Top 25?
OS Command Injection is ranked #5 in the MITRE 2023 CWE Top 25 Most Dangerous Software Weaknesses list. The ranking reflects both prevalence (how often it appears in real CVEs) and severity (the typical impact when it's exploited).