Executing an OS command without specifying an absolute or relative path exposes the application to PATH-hijacking attacks.

Why is this an issue?

When an OS command is executed using only its name (without an absolute or relative path), the operating system searches each directory listed in the PATH environment variable until it finds a matching executable. If an attacker can write to any directory listed in PATH, or can prepend a directory they control to PATH, they can place a malicious executable with the same name as the intended command. The next time the application executes the command, the malicious binary will run instead of the intended one.

What is the potential impact?

Arbitrary command execution

If a directory in PATH is writable by an unprivileged user, or if an attacker can influence the value of PATH, they can substitute the expected executable with a malicious binary of the same name. This gives the attacker arbitrary code execution in the context of the application, which may lead to data exfiltration, privilege escalation, or full system compromise.

How to fix it

Code examples

The following code executes a command by name only, causing the operating system to search PATH to locate the executable.

Noncompliant code example

const cp = require('child_process');
cp.exec('file.exe'); // Noncompliant

Compliant solution

const cp = require('child_process');
cp.exec('/usr/bin/file.exe');

Resources

Standards

• OWASP - Top 10 2021 Category A8 - Software and Data Integrity Failures
• OWASP - Top 10 2017 Category A1 - Injection
• CWE - CWE-426 - Untrusted Search Path
• CWE - CWE-427 - Uncontrolled Search Path Element