[{"data":1,"prerenderedAt":209},["ShallowReactive",2],{"blog-vulnerabilities/command-injection":3},{"id":4,"title":5,"body":6,"category":189,"date":190,"dateModified":190,"description":191,"draft":192,"extension":193,"faq":194,"featured":192,"headerVariant":195,"image":194,"keywords":194,"meta":196,"navigation":197,"ogDescription":198,"ogTitle":194,"path":199,"readTime":200,"schemaOrg":201,"schemaType":202,"seo":203,"sitemap":204,"stem":205,"tags":206,"twitterCard":207,"__hash__":208},"blog/blog/vulnerabilities/command-injection.md","Command Injection Explained",{"type":7,"value":8,"toc":178},"minimark",[9,16,21,36,46,51,93,97,106,110,131,147,166],[10,11,12],"tldr",{},[13,14,15],"p",{},"Command injection occurs when user input is passed to shell commands without sanitization. Attackers can append commands using ; | && or backticks to run anything on your server. Never use exec() or system() with user input. Use specific APIs or spawn with argument arrays instead.",[17,18,20],"h2",{"id":19},"how-command-injection-works","How Command Injection Works",[22,23,25],"code-block",{"label":24},"Vulnerable: passing user input to exec()",[26,27,32],"pre",{"className":28,"code":30,"language":31},[29],"language-text","// User wants to ping a host\napp.get('/ping', (req, res) => {\n  const host = req.query.host;\n  exec(`ping -c 1 ${host}`, (error, stdout) => {\n    res.send(stdout);\n  });\n});\n\n// Attacker sends: host=example.com; cat /etc/passwd\n// Executed: ping -c 1 example.com; cat /etc/passwd\n","text",[33,34,30],"code",{"__ignoreMap":35},"",[37,38,39],"danger-box",{},[13,40,41,45],{},[42,43,44],"strong",{},"Full server access:"," Command injection often leads to complete server compromise. Attackers can read files, install backdoors, pivot to other systems, or mine cryptocurrency on your server.",[47,48,50],"h3",{"id":49},"injection-characters","Injection Characters",[52,53,54,61,67,77,87],"ul",{},[55,56,57,60],"li",{},[33,58,59],{},";"," - Command separator",[55,62,63,66],{},[33,64,65],{},"|"," - Pipe to another command",[55,68,69,72,73,76],{},[33,70,71],{},"&&"," / ",[33,74,75],{},"||"," - Conditional execution",[55,78,79,82,83,86],{},[33,80,81],{},"cmd"," or ",[33,84,85],{},"$(cmd)"," - Command substitution",[55,88,89,92],{},[33,90,91],{},"\\n"," - Newline (new command)",[17,94,96],{"id":95},"how-to-prevent-command-injection","How to Prevent Command Injection",[22,98,100],{"label":99},"Safe: using spawn with argument array",[26,101,104],{"className":102,"code":103,"language":31},[29],"import { spawn } from 'child_process';\n\napp.get('/ping', (req, res) => {\n  const host = req.query.host;\n\n  // Validate input\n  if (!/^[a-zA-Z0-9.-]+$/.test(host)) {\n    return res.status(400).send('Invalid host');\n  }\n\n  // Use spawn with arguments array (no shell!)\n  const ping = spawn('ping', ['-c', '1', host]);\n\n  ping.stdout.on('data', (data) => res.write(data));\n  ping.on('close', () => res.end());\n});\n",[33,105,103],{"__ignoreMap":35},[47,107,109],{"id":108},"prevention-rules","Prevention Rules",[52,111,112,115,125,128],{},[55,113,114],{},"Avoid shell commands entirely when possible",[55,116,117,118,121,122],{},"Use ",[33,119,120],{},"spawn()"," with argument arrays, not ",[33,123,124],{},"exec()",[55,126,127],{},"Validate and whitelist input strictly",[55,129,130],{},"Use library APIs instead of command-line tools",[132,133,134,141],"faq-section",{},[135,136,138],"faq-item",{"question":137},"Is escaping shell characters enough?",[13,139,140],{},"Escaping is error-prone and easy to bypass. Use spawn() with argument arrays which bypasses the shell entirely. If you must use exec(), use a well-tested escaping library.",[135,142,144],{"question":143},"What about Windows commands?",[13,145,146],{},"Windows has different syntax but similar risks. Characters like & | ^ work differently. The same solution applies: avoid shell commands and use argument arrays.",[148,149,150,156,161],"related-articles",{},[151,152],"related-card",{"description":153,"href":154,"title":155},"Similar injection pattern","/blog/vulnerabilities/sql-injection","SQL Injection",[151,157],{"description":158,"href":159,"title":160},"Related input issue","/blog/vulnerabilities/path-traversal","Path Traversal",[151,162],{"description":163,"href":164,"title":165},"Validation techniques","/blog/how-to/validate-user-input","Input Validation",[167,168,171,175],"cta-box",{"href":169,"label":170},"/","Start Free Scan",[17,172,174],{"id":173},"scan-for-injection-vulnerabilities","Scan for Injection Vulnerabilities",[13,176,177],{},"Our scanner tests for command injection patterns in your code.",{"title":35,"searchDepth":179,"depth":179,"links":180},2,[181,185,188],{"id":19,"depth":179,"text":20,"children":182},[183],{"id":49,"depth":184,"text":50},3,{"id":95,"depth":179,"text":96,"children":186},[187],{"id":108,"depth":184,"text":109},{"id":173,"depth":179,"text":174},"vulnerabilities","2026-01-12","Command injection lets attackers run arbitrary system commands through your application. Learn how it works and how to safely execute commands without risk.",false,"md",null,"red",{"noindex":197},true,"Learn how command injection works and how to prevent it.","/blog/vulnerabilities/command-injection","5 min read","[object Object]","TechArticle",{"title":5,"description":191},{"loc":199},"blog/vulnerabilities/command-injection",[],"summary_large_image","m_JgRDGAq1U18ARcHeMhJ04jEvpOkKh-U3s-XJnjWyw",1775843927004]