CWE-676 Use of Potentially Dangerous Function
What this means
SiteShadow flagged use of functions/APIs that are commonly unsafe when any part of their input can be attacker-controlled (dynamic eval, unsafe deserialization, shell execution, unsafe file operations).
Why it matters
Dangerous functions can enable execution or data exposure.
- These APIs often turn small mistakes into RCE, data leaks, or privilege escalation.
- They're "foot-guns": easy to use incorrectly, hard to secure after the fact.
Safer examples
1) Avoid dynamic evaluation APIs
Avoid eval / Function / exec and parse known formats instead (see CWE-94 / CWE-95).
2) Avoid unsafe deserialization
Prefer JSON + schema validation over native object deserialization (see CWE-502).
3) Prefer safe subprocess usage
Use argument arrays and allowlists; avoid shell strings (see CWE-77 / CWE-78 / CWE-88).
How SiteShadow detects it (high level)
- Recognizes known risky APIs across common stacks.
- Prioritizes cases where inputs are derived from untrusted sources (requests, env, network, files).
References
- CWE-676: https://cwe.mitre.org/data/definitions/676.html
---