SiteShadow
Back to vulnerability library
Detected byCWE-aware static analysisPro

CWE-676 Use of Potentially Dangerous Function

Coverage: 8 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 6Other-pattern 2 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.

What this means

SiteShadow flagged use of functions/APIs that are commonly unsafe when any part of their input can be attacker-controlled (dynamic eval, unsafe deserialization, shell execution, unsafe file operations).

Why it matters

Dangerous functions can enable execution or data exposure.

Safer examples

1) Avoid dynamic evaluation APIs

Avoid eval / Function / exec and parse known formats instead (see CWE-94 / CWE-95).

2) Avoid unsafe deserialization

Prefer JSON + schema validation over native object deserialization (see CWE-502).

3) Prefer safe subprocess usage

Use argument arrays and allowlists; avoid shell strings (see CWE-77 / CWE-78 / CWE-88).

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.