# Command Injection via child_process

- ID: javascript-command-injection
- Severity: CRITICAL
- CWE: OS Command Injection (CWE-78)
- Languages: JavaScript, TypeScript
- Frameworks: nodejs, express, fastify, koa, hapi, nestjs, lambda, serverless, graphql

## Description

Detects user input flowing to shell command execution functions.

## Detection Message

Untrusted input from {source} reaches command execution at {sink}.
This allows an attacker to execute arbitrary commands on the server.

## Remediation

Use execFile() with argument arrays instead of exec() with string commands.

```javascript
const { execFile } = require('child_process');
execFile('ls', ['-la', directory]);
```

Learn more: https://shoulder.dev/learn/javascript/cwe-78/command-injection

## Documentation

[object Object]

## Related Rules

- **Command Injection via os/exec** [CRITICAL]: 
- **OS Command Injection** [CRITICAL]: