Home›Cases›#0006

#0006⬤ CRITICALREALAI FailureGeneral AI

[security] command injection in uploadMedia via shell concatenation (server.ts:665)

📋 Scenario

A malicious WhatsApp message achieving prompt injection can craft a files array entry that breaks out of a curl invocation and executes arbitrary shell commands as the user running Claude Code, due to string concatenation in execSync.

⚡ Impact

Remote code execution and credential exposure (WhatsApp Cloud API token leaks into /proc/cmdline and audit logs).

🔍 Root Cause

Use of execSync with string concatenation instead of native fetch or array-based spawn.

✅ Recommendation

Replace execSync + curl with native fetch + FormData, or use Bun.spawn with args array.

🔑 Key Pattern

Command injection via shell concatenation

📚 Transferable Lesson

Never use execSync with string concatenation for user-influenced input; prefer native APIs or array-based spawn.

Intelligence Scores

Severity Score98/100

Quality Score95/100

AI Confidence93/100

Case Metadata

IndustryGeneral AI

Failure TypeAI Failure

Risk PatternSecurity Risk

Case TypeREAL

PriorityHIGH

ValidationHigh Confidence

← Back to Cases