CWE-78 · Improper Neutralization of Special Elements used in an OS Command

Remote Code Execution

CWE-78 9 case studies

Remote Code Execution (RCE) is the most severe vulnerability class because it gives an attacker full control over the server process and, in cloud environments, a pivot point to the rest of the infrastructure. RCE can arise from OS command injection, unsafe eval, unvalidated deserialization, or sandbox escape — different root causes that share the common outcome of arbitrary code running server-side.

RCE is hard to catch in review because the dangerous sink is often a framework primitive that is legitimate in other contexts — eval() in a sandbox implementation, child_process.exec() in a build tool, or deserialize() in a session handler. The dangerous property is not the function itself but the fact that its argument can be influenced by an attacker.

PullLight flags eval(), Function(), child_process.exec/spawn calls where any argument contains a user-influenced value, deserialization calls on untrusted data, and sandbox implementations that use vm.compile or similar mechanisms — the exact pattern behind the jsonpath-plus sandbox escape (CVE-2024-21534).

Case studies in this class

10.0

CVSS

CVE-2025-55182

RCE via Unvalidated RSC Deserialization

CVE-2025-55182 — React2Shell RCE

Prototype Pollution / Sandbox Escape

CVE-2026-44005 — vm2 Sandbox Escape

PHP Object Deserialization via _from Parameter

CVE-2025-49113 — Roundcube Post-Auth RCE

RCE via eval() on Unsanitized Auth Metadata

CVE-2025-31488 — Winston Auth RCE

CLI Argument Injection via args4j expandAtFiles()

CVE-2024-23897 — Jenkins CLI Argument Injection

Path Equivalence + Unsafe Deserialization in DefaultServlet

CVE-2025-24813 — Tomcat Partial PUT RCE

RCE via Partial PUT Path Equivalence

CVE-2025-24813 — Apache Tomcat Path Equivalence RCE

TOCTOU Race in HTTP Pipelining

CVE-2024-49768 — Waitress TOCTOU Race

Sandbox Escape via unsafe vm.compile

CVE-2024-21534 — jsonpath-plus RCE

jsonpath-plus

→

Frequently asked questions

What is Remote Code Execution (RCE)?

RCE is a class of vulnerabilities that allows an attacker to execute arbitrary code on the target server. It can result from OS command injection, unsafe eval, unvalidated deserialization, sandbox escape, or path traversal to an executable location.

How do you prevent RCE?

Never pass user-controlled input to eval(), Function(), exec(), or deserialize() without strict validation. Use parameterized APIs instead of shell string construction. Deserialize only from trusted sources with a type allowlist. Don't build sandbox escapes — use properly isolated environments.

Can AI catch RCE in code review?

Yes — AI review traces data flow from request input to dangerous execution sinks and identifies the taint chain even when it crosses multiple files or layers of abstraction.

Has PullLight caught real RCE vulnerabilities?

Yes. PullLight flagged RCE in react2shell (CVE-2025-55182, CVSS 10.0), winston-auth (CVE-2025-31488, CVSS 9.8), jsonpath-plus (CVE-2024-21534, CVSS 9.0), jenkins (CVE-2024-23897, CVSS 9.8), and Apache Tomcat (CVE-2025-24813, CVSS 9.8).

PullLight catches Remote Code Execution in live code review.
Hooks into GitHub PRs automatically — flags taint flows, not just lint rules.

Try the live demo →

See an example review comment: Browse AI code review examples →