CWE-88 Argument Injection

What this means

SiteShadow flagged untrusted input being passed as arguments to a command-line tool in a way that can change the tool's behavior (even if you aren't using a shell).

Why it matters

Attackers can alter command behavior or access sensitive files.

• Many tools treat arguments as flags (e.g., --output, --config, --load) which can lead to reading/writing unexpected files.
• Argument injection can still lead to RCE depending on the called program.

Safer examples

1) Use allowlists for user-controlled arguments

allowed = {"status", "version"}
subcmd = subcmd if subcmd in allowed else "status"

2) Separate flags from values and use -- where supported

Many tools interpret -- as "end of flags," preventing user input from being parsed as options.

3) Don't let users control file paths passed to tools

If a path is needed, map an ID to a server-known location and validate it (see CWE-23 / CWE-36).

How SiteShadow detects it (high level)

• Detects command execution APIs and flags request-derived input used in argument lists.
• Prioritizes cases where arguments control file paths, config loading, or execution features.

References

• CWE-88: https://cwe.mitre.org/data/definitions/88.html

---

← Back to Vulnerability Library