What is command injection (OS command injection)?
Last reviewed June 2, 2026
Command injection, also called OS command injection (CWE-78), is a flaw where untrusted input is passed to a system shell and executed as part of a command. Because the attacker controls part of the command line, they can run arbitrary operating system commands with the privileges of the application, often leading to full remote code execution.
What command injection is
Command injection occurs when an application builds an operating system command from untrusted input and hands that command to a shell for execution. The shell interprets metacharacters such as semicolons, pipes, ampersands, and backticks, so input that contains these characters can append or chain additional commands the developer never intended to run.
The root cause is mixing data and code on a single command line. When user input is concatenated into a shell string, the boundary between the intended command and the user data disappears, and the operating system treats injected text as new instructions.
How command injection works
- An application invokes a shell (for example via system, popen, exec with a shell flag, or os.system) and includes user input in the command string.
- The user supplies input containing shell metacharacters such as ; or | or && or backticks instead of the expected value.
- The shell parses the combined string, runs the intended command, then runs the attacker-supplied command that was appended or chained.
- A related variant, argument injection, passes user input as a command-line flag, abusing options the program supports rather than the shell itself.
Impact of command injection
Because injected commands run with the privileges of the application process, the impact is usually severe. Attackers can read or modify files, exfiltrate secrets and credentials, pivot to internal systems, and frequently achieve full remote code execution on the host.
- Full server compromise and remote code execution.
- Disclosure of configuration files, credentials, and sensitive data.
- Lateral movement into internal networks and backend services.
- Persistence, malware installation, and destruction of data.
How to prevent command injection
- Avoid calling a shell entirely. Use parameterized process APIs that take the program and an array of arguments, so input is never interpreted as shell syntax.
- Prefer native library functions over shelling out, for example use a file API instead of invoking a copy command.
- If a command must be built, validate input against a strict allowlist of permitted values rather than trying to block bad characters.
- Run the process with the least privilege necessary and in a constrained environment so a successful injection causes limited damage.
- Never rely on escaping or denylists alone, since metacharacter handling varies between shells and is easy to get wrong.
Keep exploring
- CWE-78: OS Command InjectionThe Common Weakness Enumeration entry for OS command injection.
- What is remote code execution?The frequent outcome of a successful command injection.
- What is SQL injection?A related injection flaw targeting database queries.
- What is path traversal?Another input-handling flaw that exposes the host file system.
- What is a CWE?How weaknesses like CWE-78 are catalogued.
- CWE directoryBrowse the full Common Weakness Enumeration.
Frequently asked questions
- What is the difference between command injection and code injection?
- Command injection runs operating system commands through a shell, controlled by CWE-78. Code injection causes the application to execute attacker-supplied code in the application language itself, such as eval of a string. Both let attackers run unintended logic, but the execution context differs.
- Does command injection always lead to remote code execution?
- It very often does, because the attacker can run arbitrary OS commands. The actual reach depends on the privileges of the process and any sandboxing, but command injection is generally treated as a critical, RCE-class flaw.
- Is escaping user input enough to stop command injection?
- No. Escaping is fragile because shell parsing rules differ across platforms and shells. The reliable fix is to avoid the shell and pass arguments as a structured array to a parameterized process API.
- What is argument injection?
- Argument injection is a related issue where user input is placed into command-line arguments without invoking a shell. Attackers abuse the target program's flags, for example injecting an option that changes behavior or writes files, even when no shell metacharacters are involved.
