command-injection
Safeguard articles tagged "command-injection" — guides, analysis, and best practices for software supply chain and application security.
23 articles
Root cause: CVE-2022-40764, the Snyk CLI command injection
A crafted vendor.json field let attackers run shell commands from inside a security scanner — CVE-2022-40764 shows why CLI tools must never build shell strings.
Securing MCP Servers for AI Agents
Five CVEs in 2025 alone trace MCP tool compromise back to one root cause: unsanitized strings piped into exec(). Here's how to expose and consume MCP safely.
Ghostscript (CVE-2023-36664) Explained: Command Injection via Pipe Devices
CVE-2023-36664 let a crafted PostScript or EPS file run system commands through Ghostscript's mishandling of pipe device filenames. Because Ghostscript hides behind image tools, the blast radius was wide.
Ivanti Connect Secure CVE-2024-21887 Explained: Command Injection in a Two-Bug Chain
CVE-2024-21887 is a command injection in Ivanti Connect Secure that, chained with the auth bypass CVE-2023-46805, gave attackers unauthenticated RCE. Here is the timeline, root cause, and patched versions.
Command injection in Python: subprocess, os.system, and safe-by-default patterns
os.system() and subprocess.run(shell=True) both hand a string straight to /bin/sh — one unescaped semicolon is enough to run arbitrary commands.
Command injection in Go: os/exec, exec.Command, and how it still goes wrong
Go's exec.Command never invokes a shell — yet CWE-78 command injection keeps shipping in Go services. Here's exactly how, and how gosec's G204 rule catches it.
Barracuda ESG CVE-2023-2868 Explained: The Command Injection That Ended in Hardware Replacement
CVE-2023-2868 is a command injection in the Barracuda Email Security Gateway, exploited as a zero-day by UNC4841 for months. Rated CVSS 9.8, it ended with Barracuda advising physical appliance replacement.
Preventing Command Injection in Python
Every time Python code shells out with user input, an attacker gets a vote on what the shell runs. The fix is almost always to stop using the shell at all.
Preventing Command Injection in Go: Allowlists, Argument Safety, and Sandboxing
os/exec keeps the shell out of your way — but user-controlled binaries, flag injection, and PATH tricks still get Go services popped. Here's the prevention playbook, not just the theory.
OWASP A03: Injection Explained — A Deep-Dive Guide
Injection ranks #3 in the OWASP Top 10 (2021) and now includes XSS. A deep dive into SQLi, command injection, real CVEs, and how to detect and fix it in 2026.
When the Vulnerability Is the Design: MCP STDIO Command Injection Across 150M Downloads (May 2026)
OX Security documented command injection through the MCP STDIO transport across Python, TypeScript, Java, and Rust SDKs. Anthropic calls the behavior by-design and won't patch upstream. That leaves the fix to thousands of downstream projects.
Cisco Firepower CVE-2024-20418 Lessons: Network Security Devices as Attack Surface
CVE-2024-20418 was a critical command injection in Cisco Firepower Management Center. The technical details, the exploitation reality, and what it teaches about NSM security.