CWE WEAKNESSES / CWE-74
CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Class EXPLOIT LIKELIHOOD: HIGH
What it is
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Impact
| Confidentiality | Read Application Data |
| Access Control | Bypass Protection Mechanism |
| Other | Alter Execution Logic |
| Integrity, Other | Other |
| Non-Repudiation | Hide Activities |
Mitigations
- [Requirements] Programming languages and supporting technologies might be chosen which are not subject to these issues.
- [Implementation] Utilize an appropriate mix of allowlist and denylist parsing to filter control-plane syntax from all input.
Real-world CVE examples
- CVE-2024-5184 — API service using a large generative AI model allows direct prompt injection to leak hard-coded system prompts or execute other prompts.
- CVE-2022-36069 — Python-based dependency management tool avoids OS command injection when generating Git commands but allows injection of optional arguments with input beginning
- CVE-1999-0067 — Canonical example of OS command injection. CGI program does not neutralize "|" metacharacter when invoking a phonebook program.
- CVE-2022-1509 — injection of sed script syntax ("sed injection")
- CVE-2020-9054 — Chain: improper input validation (CWE-20) in username parameter, leading to OS command injection (CWE-78), as exploited in the wild per CISA KEV.
- CVE-2021-44228 — Product does not neutralize ${xyz} style expressions, allowing remote code execution. (log4shell vulnerability)
Related weaknesses
Test & detect
Browse all common weaknesses, check related exploited CVEs, or map to ATT&CK techniques.
Source: MITRE CWE. View on cwe.mitre.org →