VC015A03:2021·CWE-78

Command injection

Command injection via `child_process.exec()` or `child_process.execSync()` with user input. Lets attackers run arbitrary shell commands on your server.

What this rule detects

VC015 flags `exec()` and `execSync()` calls where the command string includes a value derived from request input. The rule does not flag `conn.exec()` (database connections), `db.exec()`, or other unrelated `.exec()` methods — only the `child_process` ones.

Vulnerable vs. safe code

Vulnerable
import { exec } from "node:child_process";

// Attacker submits ?host=8.8.8.8; rm -rf /
app.get("/ping", (req, res) => {
  exec(`ping -c 4 ${req.query.host}`, (err, stdout) => {
    res.send(stdout);
  });
});
Safe
import { execFile } from "node:child_process";

// execFile takes args as an array — no shell interpretation.
app.get("/ping", (req, res) => {
  // Validate first.
  const host = req.query.host;
  if (!/^[\w.-]+$/.test(host)) {
    return res.status(400).send("Invalid host");
  }
  execFile("ping", ["-c", "4", host], (err, stdout) => {
    res.send(stdout);
  });
});

About A03:2021Injection

Injection happens when user input is concatenated directly into SQL queries, shell commands, HTML, or any other interpreter. SQL injection has been #1 or #2 on the OWASP Top 10 since the list was created in 2003 — it's the oldest class of web bug that still ships every week.

Impact: SQL injection: attacker reads or modifies your entire database. Command injection: attacker runs arbitrary shell commands on your server. XSS: attacker steals session cookies and impersonates other users. Each one is typically a critical-severity finding.

How to fix it: Always use parameterized queries (prepared statements) for SQL. Never use template literals or string concatenation with user input in queries. For HTML output, use your framework's auto-escaping. For shell commands, use APIs that take an array of arguments instead of `exec()` with a string.

Common patterns in this category:

  • SQL queries built with string concatenation or template literals
  • `child_process.exec()` called with user input concatenated into the command
  • `dangerouslySetInnerHTML` with user-controlled data
  • `eval()` or `Function()` called with user input
  • `innerHTML` assignment without sanitization

Compliance coverage

Findings from this rule map to the following framework controls:

SOC 2
CC6.1, CC7.1
ISO 27001
A.8.25, A.8.28
OWASP Top 10
A03:2021Injection
CWE
CWE-78

See the full compliance coverage page for how XploitScan maps every rule to SOC 2, ISO 27001, and OWASP Top 10 controls.

Scan your code for VC015 and 157 other rules

Free, no signup. Drag and drop a zip or run npx xploitscan scan .

Scan Your Code →

Related rules in A03:2021

← All security rules
VC015: Command injection | XploitScan Rules