SiteShadow
Back to vulnerability library
Detected byCWE-aware static analysisPro

CWE-88 Argument Injection

Coverage: 33 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 31Other-pattern 2 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.

What this means

SiteShadow flagged untrusted input being passed as arguments to a command-line tool in a way that can change the tool's behavior (even if you aren't using a shell).

Why it matters

Attackers can alter command behavior or access sensitive files.

Safer examples

1) Use allowlists for user-controlled arguments

allowed = {"status", "version"}
subcmd = subcmd if subcmd in allowed else "status"

2) Separate flags from values and use -- where supported

Many tools interpret -- as "end of flags," preventing user input from being parsed as options.

3) Don't let users control file paths passed to tools

If a path is needed, map an ID to a server-known location and validate it (see CWE-23 / CWE-36).

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.