Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-88 (参数注入或修改) — Vulnerability Class 148

148 vulnerabilities classified as CWE-88 (参数注入或修改). AI Chinese analysis included.

CWE-88 represents a critical input validation weakness where software constructs command strings without properly delimiting arguments, options, or switches intended for external components. This flaw typically arises when developers interpolate user-controlled data directly into command lines, mistakenly assuming that only specified arguments will be processed. Attackers exploit this by injecting additional arguments or switches that alter the command’s behavior, potentially leading to unauthorized code execution or privilege escalation. To mitigate this risk, developers must strictly validate and sanitize all inputs before inclusion in command strings. Best practices include using parameterized APIs that separate commands from arguments, avoiding shell interpreters when possible, and employing allowlists to restrict acceptable input formats. By ensuring robust argument separation and rigorous input filtering, organizations can effectively prevent attackers from manipulating command execution contexts and maintain system integrity against injection-based attacks.

MITRE CWE Description
The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string. When creating commands using interpolation into a string, developers may assume that only the arguments/options that they specify will be processed. This assumption may be even stronger when the programmer has encoded the command in a way that prevents separate commands from being provided maliciously, e.g. in the case of shell metacharacters. When constructing the command, the developer may use whitespace or other delimiters that are required to separate arguments when the command. However, if an attacker can provide an untrusted input that contains argument-separating delimiters, then the resulting command will have more arguments than intended by the developer. The attacker may then be able to change the behavior of the command. Depending on the functionality supported by the extraneous arguments, this may have security-relevant consequences.
Common Consequences (1)
Confidentiality, Integrity, Availability, OtherExecute Unauthorized Code or Commands, Alter Execution Logic, Read Application Data, Modify Application Data
An attacker could include arguments that allow unintended commands or code to be executed, allow sensitive data to be read or modified or could cause other unintended behavior.
Mitigations (5)
ImplementationWhere possible, avoid building a single string that contains the command and its arguments. Some languages or frameworks have functions that support specifying independent arguments, e.g. as an array, which is used to automatically perform the appropriate quoting or escaping while building the command. For example, in PHP, escapeshellarg() can be used to escape a single argument to system(), or …
Effectiveness: High
Architecture and DesignUnderstand all the potential areas where untrusted inputs can enter your product: parameters or arguments, cookies, anything read from the network, environment variables, request headers as well as content, URL components, e-mail, files, databases, and any external systems that provide data to the application. Perform input validation at well-defined interfaces.
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
ImplementationDirectly convert your input type into the expected data type, such as using a conversion function that translates a string into a number. After converting to the expected data type, ensure that the input's values fall within the expected range of allowable values and that multi-field consistencies are maintained.
ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180, CWE-181). Make sure that your application does not inadvertently decode the same input twice (CWE-174). Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have been checked. Use libraries such as the OWASP ESAPI Canonicalizat…
Examples (2)
Consider the following program. It intends to perform an "ls -l" on an input filename. The validate_name() subroutine performs validation on the input to make sure that only alphanumeric and "-" characters are allowed, which avoids path traversal (CWE-22) and OS command injection (CWE-78) weaknesses. Only filenames like "abc" or "d-e-f" are intended to be allowed.
my $arg = GetArgument("filename"); do_listing($arg); sub do_listing { my($fname) = @_; if (! validate_name($fname)) { print "Error: name is not well-formed!\n"; return; } # build command my $cmd = "/bin/ls -l $fname"; system($cmd); } sub validate_name { my($name) = @_; if ($name =~ /^[\w\-]+$/) { return(1); } else { return(0); } }
Bad · Perl
if ($name =~ /^\w[\w\-]+$/) ...
Good · Perl
CVE-2016-10033 / [REF-1249] provides a useful real-world example of this weakness within PHPMailer.
CVE IDTitleCVSSSeverityPublished
CVE-2025-52459 Advantech iView Argument Injection — iView 6.5 Medium2025-07-10
CVE-2025-46835 Git GUI can create and overwrite files for which the user has write permission — git-gui 8.5 High2025-07-10
CVE-2025-48385 Git alllows arbitrary file writes via bundle-uri parameter injection — git 8.8 -2025-07-08
CVE-2025-49520 Event-driven-ansible: authenticated argument injection in git url in eda project creation — Red Hat Ansible Automation Platform 2.5 for RHEL 8 8.8 High2025-06-30
CVE-2025-52480 Registrator.jl Argument Injection Vulnerability — Registrator.jl 9.8AICriticalAI2025-06-25
CVE-2025-35010 Microhard Bullet-LTE and IPn4Gii AT+MNPINGTM Argument Injection — IPn4Gii / Bullet-LTE Firmware 7.1 High2025-06-08
CVE-2025-35009 Microhard Bullet-LTE and IPn4Gii AT+MNNETSP Argument Injection — IPn4Gii / Bullet-LTE Firmware 7.1 High2025-06-08
CVE-2025-35008 Microhard Bullet-LTE and IPn4Gii AT+MMNAME Argument Injection — IPn4Gii / Bullet-LTE Firmware 7.1 High2025-06-08
CVE-2025-35007 Microhard Bullet-LTE and IPn4Gii AT+MFRULE Argument Injection — IPn4Gii / Bullet-LTE Firmware 7.1 High2025-06-08
CVE-2025-35006 Microhard Bullet-LTE and IPn4Gii AT+MFPORTFWD Argument Injection — IPn4Gii / Bullet-LTE Firmware 7.1 High2025-06-08
CVE-2025-35005 Microhard Bullet-LTE and IPn4Gii AT+MFMAC Argument Injection — IPn4Gii / Bullet-LTE Firmware 7.1 High2025-06-08
CVE-2025-35004 Microhard Bullet-LTE and IPn4Gii AT+MFIP Argument Injection — IPn4Gii / Bullet-LTE Firmware 7.1 High2025-06-08
CVE-2025-32459 ON Semiconductor Quantenna router_command.sh (in the sync_time argument) Argument Injection — Quantenna Wi-Fi chipset 7.7 High2025-06-08
CVE-2025-32458 ON Semiconductor Quantenna router_command.sh (in the get_syslog_from_qtn argument) Argument Injection — Quantenna Wi-Fi chipset 7.7 High2025-06-08
CVE-2025-32457 ON Semiconductor Quantenna router_command.sh (in the get_file_from_qtn argument) Argument Injection — Quantenna Wi-Fi chipset 7.7 High2025-06-08
CVE-2025-32456 ON Semiconductor Quantenna router_command.sh (in the put_file_to_qtn argument) Argument Injection — Quantenna Wi-Fi chipset 7.7 High2025-06-08
CVE-2025-32455 ON Semiconductor Quantenna router_command.sh (in the run_cmd argument) Argument Injection — Quantenna Wi-Fi chipset 7.7 High2025-06-08
CVE-2025-3460 ON Semiconductor Quantenna set_tx_pow Argument Injection — Quantenna Wi-Fi chipset 7.7 High2025-06-08
CVE-2025-3459 ON Semiconductor Quantenna transmit_file Argument Injection — Quantenna Wi-Fi chipset 7.7 High2025-06-08
CVE-2025-3945 Improper Neutralization of Argument Delimiters in a Command (‘Argument Injection’) — Niagara Framework 7.2 High2025-05-22
CVE-2025-1712 Arbitrary file write with vcrtrace — Checkmk 6.5AIMediumAI2025-05-21
CVE-2025-31499 Jellyfin Vulnerable to Argument Injection in FFmpeg — jellyfin 8.8AIHighAI2025-04-15
CVE-2025-32931 Voyager 安全漏洞 — Voyager 9.1 Critical2025-04-14
CVE-2024-47516 Pagure: argument injection in pagurerepo.log() 9.8 Critical2025-03-25
CVE-2025-29768 Vim vulnerable to potential data loss with zip.vim and special crafted zip files — vim 4.4 Medium2025-03-13
CVE-2025-24845 Humming Heads Defense Platform 参数注入漏洞 — Defense Platform Home Edition 7.5 -2025-02-06
CVE-2025-0065 Improper Neutralization of Argument Delimiters in TeamViewer Clients — Remote Full Client 7.8 High2025-01-28
CVE-2022-31749 Authenticated arbitrary file read/write in WatchGuard Fireware OS — Fireware OS 6.5 Medium2025-01-27
CVE-2024-9131 A user with administrator privileges can perform command injection — Arista Edge Threat Management 7.2 High2025-01-10
CVE-2025-21613 go-git has an Argument Injection via the URL field — go-git 9.1 -2025-01-06

Vulnerabilities classified as CWE-88 (参数注入或修改) represent 148 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.