Safeguard
Tag

code-injection

Safeguard articles tagged "code-injection" — guides, analysis, and best practices for software supply chain and application security.

7 articles

Application Security

Code injection risks in CLI tools and IDE plugins

A malicious npm dependency hid in event-stream for 8M downloads before detection. Developer tooling is a code-injection blast radius most teams never audit.

Jul 15, 20266 min read
Vulnerability Management

Text4Shell deep dive: how CVE-2022-42889 turned string formatting into RCE

CVSS 9.8. Apache Commons Text 1.5–1.9 ran attacker strings through a script interpolator by default — here's the root cause and the fix.

Jul 12, 20266 min read
Application Security

Python code injection: eval, exec, and pickle explained

eval(), exec(), and pickle.load() can each hand an attacker a Python interpreter — CVE-2020-1747 shows how one unsafe deserialization call became a real RCE.

Jul 8, 20265 min read
AI Security

Code injection risks in GenAI-generated code

Nearly 40% of GitHub Copilot's suggested programs contain exploitable vulnerabilities, and 19.7% of AI-generated code samples reference packages that don't exist.

Jul 8, 20267 min read
Vulnerability Analysis

lodash template code injection (CVE-2021-23337)

CVE-2021-23337 lets attackers inject code via lodash's template function. Here's the impact, affected versions, CVSS/EPSS context, and how to remediate it.

Jan 12, 20268 min read
Vulnerability Analysis

underscore.js template code injection (CVE-2021-23358)

CVE-2021-23358 lets attacker-controlled template settings inject arbitrary code via underscore.js's _.template function. Here's the impact, fix, and remediation steps.

Jan 5, 20267 min read
Industry Analysis

Code Injection via eval() and exec() Across Languages

eval() and exec() turn dynamic code execution into remote code execution. A cross-language look at how it happens in Python, JS, PHP, and Ruby.

Nov 7, 20257 min read
code-injection — Safeguard Blog