CWE-94: Improper Control of Generation of Code ('Code Injection')
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
常见后果
影响范围: Access Control
技术影响: Bypass Protection Mechanism
说明: In some cases, injectable code controls authentication; this may lead to a remote vulnerability.
影响范围: Access Control
技术影响: Gain Privileges or Assume Identity
说明: Injected code can access resources that the attacker is directly prevented from accessing.
影响范围: Integrity Confidentiality Availability
技术影响: Execute Unauthorized Code or Commands
说明: When a product allows a user's input to contain code syntax, it might be possible for an attacker to craft the code in such a way that it will alter the intended control flow of the product. As a result, code injection can often result in the execution of arbitrary code. Code injection attacks can also lead to loss of data integrity in nearly all cases, since the control-plane data injected is always incidental to data recall or writing.
影响范围: Non-Repudiation
技术影响: Hide Activities
说明: Often the actions performed by injected control code are unlogged.
潜在缓解措施
阶段: Architecture and Design
描述: Refactor your program so that you do not have to dynamically generate code.
阶段: Architecture and Design
阶段: Implementation
策略: Input Validation
阶段: Testing
描述: Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible.
阶段: Testing
描述: Use dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
阶段: Operation
策略: Compilation or Build Hardening
描述: Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).
阶段: Operation
策略: Environment Hardening
描述: Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).
阶段: Implementation
有效性: Discouraged Common Practice
检测方法
方法: Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
有效性: High
观察示例
参考: CVE-2023-29374
Math component in an LLM framework translates user input into a Python expression that is input into the Python exec() method, allowing code execution - one variant of a "prompt injection" attack.
参考: CVE-2024-5565
Python-based library uses an LLM prompt containing user input to dynamically generate code that is then fed as input into the Python exec() method, allowing code execution - one variant of a "prompt injection" attack.
参考: CVE-2024-4181
Framework for LLM applications allows eval injection via a crafted response from a hosting provider.
参考: CVE-2022-2054
Python compiler uses eval() to execute malicious strings as Python code.
参考: CVE-2021-22204
Chain: regex in EXIF processor code does not correctly determine where a string ends (CWE-625), enabling eval injection (CWE-95), as exploited in the wild per CISA KEV.
参考: CVE-2020-8218
"Code injection" in VPN product, as exploited in the wild per CISA KEV.
参考: CVE-2008-5071
Eval injection in PHP program.
参考: CVE-2002-1750
Eval injection in Perl program.
参考: CVE-2008-5305
Eval injection in Perl program using an ID that should only contain hyphens and numbers.
参考: CVE-2002-1752
Direct code injection into Perl eval function.
参考: CVE-2002-1753
Eval injection in Perl program.
参考: CVE-2005-1527
Direct code injection into Perl eval function.
参考: CVE-2005-2837
Direct code injection into Perl eval function.
参考: CVE-2005-1921
MFV. code injection into PHP eval statement using nested constructs that should not be nested.
参考: CVE-2005-2498
MFV. code injection into PHP eval statement using nested constructs that should not be nested.
参考: CVE-2005-3302
Code injection into Python eval statement from a field in a formatted file.
参考: CVE-2007-1253
Eval injection in Python program.
参考: CVE-2001-1471
chain: Resultant eval injection. An invalid value prevents initialization of variables, which can be modified by attacker and later injected into PHP eval statement.
参考: CVE-2002-0495
Perl code directly injected into CGI library file from parameters to another CGI program.
参考: CVE-2005-1876
Direct PHP code injection into supporting template file.
参考: CVE-2005-1894
Direct code injection into PHP script that can be accessed by attacker.
参考: CVE-2003-0395
PHP code from User-Agent HTTP header directly inserted into log file implemented as PHP script.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |
适用平台
编程语言
技术
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | CODE | Code Evaluation and Injection | - |
| ISA/IEC 62443 | Part 4-2 | Req CR 3.5 | - |
| ISA/IEC 62443 | Part 3-3 | Req SR 3.5 | - |
| ISA/IEC 62443 | Part 4-1 | Req SVV-1 | - |
| ISA/IEC 62443 | Part 4-1 | Req SVV-3 | - |
关键信息
CWE ID: CWE-94
抽象级别: Base
结构: Simple
状态: Draft
利用可能性: Medium