CWE-88 Argument Injection
Coverage: 33 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 31Other-pattern 2 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.
What this means
SiteShadow flagged untrusted input being passed as arguments to a command-line tool in a way that can change the tool's behavior (even if you aren't using a shell).
Why it matters
Attackers can alter command behavior or access sensitive files.
- Many tools treat arguments as flags (e.g.,
--output,--config,--load) which can lead to reading/writing unexpected files. - Argument injection can still lead to RCE depending on the called program.
Safer examples
1) Use allowlists for user-controlled arguments
allowed = {"status", "version"}
subcmd = subcmd if subcmd in allowed else "status"
2) Separate flags from values and use -- where supported
Many tools interpret -- as "end of flags," preventing user input from being parsed as options.
3) Don't let users control file paths passed to tools
If a path is needed, map an ID to a server-known location and validate it (see CWE-23 / CWE-36).
How SiteShadow detects it (high level)
- Detects command execution APIs and flags request-derived input used in argument lists.
- Prioritizes cases where arguments control file paths, config loading, or execution features.
References
- CWE-88: https://cwe.mitre.org/data/definitions/88.html
---
← Back to Vulnerability Library
Catch this with SiteShadow Pro.
This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.