Glossary · Term

command injection

← all terms

Definition

Plain language

A security bug where attacker-controlled text gets run as a real system command.

As stated in the literature

A vulnerability in which untrusted input reaches a shell or command-execution context (e.g., invoking a subprocess with shell enabled), letting an attacker run arbitrary commands; a canonical insecure-code pattern probed in AI coding-agent safety work.

Why it matters: It is one of the most damaging coding mistakes because it can hand an attacker control over the machine running the program.

For example, a web form that passes a user's text straight into a system command could let someone type in an extra command that deletes files on the server.

Heard on the show

“Shell-equals-true command injection.”
Episode 093 — A Calibrated Knob for Weak-to-Strong AI Oversight, Tested on Real Code

Mentioned in 1 episode

  1. 093
    A Calibrated Knob for Weak-to-Strong AI Oversight, Tested on Real Code

Related terms