Skip to main content
Injection flaws occur when an application sends untrusted data to an interpreter as part of a command or query. This includes SQL injection, NoSQL injection, OS command injection, LDAP injection, XSS, and expression language injection.
CodeAnt AI detects Injection vulnerabilities across 21 languages: Python, Java, JavaScript, TypeScript, Go, C#, C, C++, Ruby, PHP, Kotlin, Swift, Rust, Scala, Bash, Clojure, Elixir, Terraform, HTML, YAML, Apex.

Detected Vulnerabilities

Severity: Critical

Description

The application constructs SQL queries using unsanitized user input, allowing attackers to modify the query logic to access, modify, or delete database contents.

Impact

Complete database compromise including data theft, data modification, authentication bypass, and in some cases remote code execution on the database server.

Remediation

Use parameterized queries or prepared statements exclusively. Use ORM frameworks with built-in protection. Never concatenate user input into SQL strings. Apply input validation as defense-in-depth.
Severity: Critical

Description

The application passes unsanitized user input to operating system commands, allowing attackers to execute arbitrary commands on the host system.

Impact

Full system compromise. Attackers can execute arbitrary commands with the privileges of the application, install malware, exfiltrate data, or pivot to other systems.

Remediation

Avoid calling OS commands with user input. Use language-native libraries instead of shell commands. If shell commands are necessary, use strict allowlists and parameterized execution (e.g., subprocess with list arguments in Python).
Severity: High

Description

The application includes untrusted data in web pages without proper validation or escaping, allowing attackers to execute scripts in victims’ browsers.

Impact

Session hijacking, defacement, redirecting users to malicious sites, keylogging, and stealing sensitive data from the user’s browser context.

Remediation

Encode output based on context (HTML, JavaScript, URL, CSS). Use Content Security Policy (CSP) headers. Use templating engines that auto-escape by default. Sanitize HTML input with proven libraries.
Severity: Critical

Description

The application allows user input to be executed as code, typically through eval(), exec(), or similar dynamic code execution functions.

Impact

Remote code execution. Attackers can run arbitrary code on the server, leading to complete application and potentially system compromise.

Remediation

Never use eval(), exec(), or similar functions with user input. Use safe alternatives like JSON parsing for data. Implement sandboxing if dynamic code execution is absolutely required.
Severity: Critical

Description

The application dynamically evaluates code using user-controlled data in functions like eval(), Function(), template engines, or expression languages.

Impact

Arbitrary code execution in the application context. Attackers can read files, access databases, make network requests, or completely take over the application.

Remediation

Eliminate all uses of eval() and dynamic code evaluation with user input. Use safe parsing libraries. If expression evaluation is needed, use sandboxed expression evaluators with restricted capabilities.
Severity: Critical

Description

The application constructs commands using unsanitized externally-supplied input, which can be manipulated to execute unintended commands.

Impact

Attackers can execute arbitrary system commands, potentially gaining full control of the server, accessing sensitive files, or using the server as a pivot point for further attacks.

Remediation

Use APIs and libraries that are not susceptible to injection instead of shell commands. If commands are necessary, validate inputs against a strict allowlist. Use parameterized command execution.
Severity: High

Description

The application constructs LDAP queries using unsanitized user input, allowing attackers to modify the query to access unauthorized directory entries.

Impact

Authentication bypass, unauthorized access to directory information, and potential modification of LDAP entries including user accounts and permissions.

Remediation

Use parameterized LDAP queries. Escape special LDAP characters in user input. Validate input against expected formats. Use LDAP frameworks with built-in injection protection.
Severity: High

Description

The application processes XML input that contains references to external entities, which can be exploited to access local files, perform server-side request forgery, or cause denial of service.

Impact

Reading local files from the server, scanning internal networks via SSRF, denial of service through billion-laughs attacks, and in some cases remote code execution.

Remediation

Disable external entity processing in XML parsers. Use defusedxml in Python, disable DTDs in Java XML parsers, use libxml_disable_entity_loader in PHP. Prefer JSON over XML where possible.
Severity: Critical

Description

The application evaluates user-controlled data within expression language (EL) contexts such as Spring EL, OGNL, MVEL, or template engines, allowing arbitrary expression execution.

Impact

Remote code execution through expression language evaluation. Attackers can access application internals, execute system commands, and fully compromise the server.

Remediation

Never pass user input to expression language evaluators. Use parameterized templates. Restrict expression language capabilities in template engines. Apply strict input validation.
Severity: Medium

Description

The application generates CSV files with user-controlled data without sanitizing formula characters, allowing injection of spreadsheet formulas that execute when opened.

Impact

When users open the CSV in spreadsheet applications, injected formulas can exfiltrate data, execute commands, or install malware on the user’s workstation.

Remediation

Prefix cell values starting with =, +, -, @, \t, \r with a single quote. Use CSV libraries that handle formula injection (e.g., defusedcsv in Python). Sanitize all user input before CSV export.
Severity: Critical

Description

The application constructs NoSQL queries using unsanitized user input, allowing attackers to manipulate query logic in databases like MongoDB, CouchDB, or DynamoDB.

Impact

Authentication bypass, unauthorized data access, data manipulation, and potential denial of service through malicious query operators.

Remediation

Use parameterized queries or ODM frameworks. Validate input types strictly (reject objects when strings are expected). Sanitize MongoDB operators like $gt, $ne, $where from user input.