Description

A command injection vulnerability exists in this LLM-powered web application where user-supplied input is not adequately sanitized. This flaw allows attackers to prepare arbitrary operating system commands and ask the LLM to execute them.

Remediation

Implement strict input validation and sanitization to ensure that user input is never passed directly to OS-level commands. Use parameterized API calls or safe execution libraries, enforce allowlists for acceptable inputs, and review logging and error handling to minimize exposure.

References

OWASP Top 10 for Large Language Model Applications

Related Vulnerabilities

Apache Log4j2 JNDI Remote Code Execution (delayed)

Drupal Core 8.4.x Remote Code Execution (8.4.0 - 8.4.7)

WordPress 2.0.2 Username Remote PHP Code Injection Vulnerability (0.6.2 - 2.0.2)

WordPress Plugin open-flash-chart-core Remote Code Execution (0.4)

Drupal Core 8.5.x Remote Code Execution (8.5.0 - 8.5.10)

Severity

Critical

Classification

CWE-78 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution