CWE-114 Process Control
Coverage: 5 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 4Other-pattern 1 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.
What this means
SiteShadow flagged external input influencing process control: what gets executed/loaded, how it's executed, or what libraries/modules are loaded. This includes dynamic library loading paths, executable names, and environment variables that affect loaders.
Why it matters
Attackers can load malicious libraries or alter execution flow.
- Code execution: running attacker-chosen binaries or loading attacker-controlled libraries.
- Privilege escalation: if a privileged service loads from untrusted paths.
- Persistence: malicious loaders/plugins can survive restarts if the path is controlled.
Safer examples
1) Don't let users choose executables or library paths
Use allowlisted commands and fixed paths; never accept "binary path" from a request.
2) Use safe subprocess APIs (no shell strings)
import subprocess
subprocess.run(["git", "status"], check=True) # allowlisted
import { spawn } from "node:child_process";
spawn("git", ["status"], { stdio: "inherit" });
3) Lock down environment and loader behavior
Avoid passing untrusted env vars like LD_LIBRARY_PATH / PYTHONPATH into privileged processes; run with least privilege.
How SiteShadow detects it (high level)
- Detects process execution and dynamic loading APIs and checks whether command/path/env inputs are externally controlled.
- Flags risky patterns like shell execution, user-controlled search paths, and dynamic library loading from writable locations.
References
- CWE-114: https://cwe.mitre.org/data/definitions/114.html
---
← Back to Vulnerability Library
Catch this with SiteShadow Pro.
This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.