CVE-2025-63414: Php User Input Shell Exec Without Escapeshellarg
User-controlled HTTP input reaches a shell execution function without per-argument escaping. Applying escapeshellcmd() to the full command string is insufficient: it intentionally leaves '/' and '.' unescaped, enabling path traversal (CWE-22) and OS command injection (CWE-78). Each untrusted argument must be individually escaped with escapeshellarg(), or inp
greprules fetch cve-2025-63414-php-user-input-shell-exec-without-escapeshellarg --engine opengrepDescription
User-controlled HTTP input reaches a shell execution function without per-argument escaping. Applying escapeshellcmd() to the full command string is insufficient: it intentionally leaves '/' and '.' unescaped, enabling path traversal (CWE-22) and OS command injection (CWE-78). Each untrusted argument must be individually escaped with escapeshellarg(), or inp
Detection target
Not provided
Recommended fix
Not provided
False-positive notes
Not provided
Community feedback
Sign in to report false positives, mark this rule useful, or suggest metadata improvements.