CWE-94βImproper Control of Generation of Code ('Code Injection')
PUBLISHEDweakness recordMedium
released 2006-07-19 Β· last modified 2026-04-30
Metadata
- CWE ID:
- CWE-94
- Abstraction:
- Base
- Structure:
- Simple
- Status:
- Draft
- Release Date:
- 2006-07-19
- Latest Modification Date:
- 2026-04-30
Weakness Name
Improper Control of Generation of Code ('Code Injection')
Description
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Common Consequences
- Scope:
- Access Control
- Impact:
- Bypass Protection Mechanism
- Notes:
- In some cases, injectable code controls authentication; this may lead to a remote vulnerability.
- Scope:
- Access Control
- Impact:
- Gain Privileges or Assume Identity
- Notes:
- Injected code can access resources that the attacker is directly prevented from accessing.
- Scope:
- Integrity, Confidentiality, Availability
- Impact:
- Execute Unauthorized Code or Commands
- Notes:
- When a product allows a user's input to contain code syntax, it might be possible for an attacker to craft the code in such a way that it will alter the intended control flow of the product. As a result, code injection can often result in the execution of arbitrary code. Code injection attacks can also lead to loss of data integrity in nearly all cases, since the control-plane data injected is always incidental to data recall or writing.
- Scope:
- Non-Repudiation
- Impact:
- Hide Activities
- Notes:
- Often the actions performed by injected control code are unlogged.