Weakness reference
CWE-428

Unquoted Search Path or Element

This weakness occurs when a program searches for or executes files using a path that is not properly quoted, allowing an attacker to inject and execute a…

01Summary

This weakness occurs when a program searches for or executes files using a path that is not properly quoted, allowing an attacker to inject and execute a malicious file with a crafted name. If a search path includes a directory with spaces or special characters, and that path is not quoted, the operating system may interpret part of the directory name as a separate command or argument, leading to unintended code execution.

02How It Happens

When an application constructs a file path or command line without proper quoting, the operating system's command parser may split the path at spaces or other delimiters. For example, if a program searches for a file in C:\Program Files\MyApp\tool.exe without quotes, the system may interpret it as searching for C:\Program first, then treating Files\MyApp\tool.exe as separate arguments. An attacker who can write files to an early part of the search path (such as C:\Program.exe) can trick the application into executing their malicious file instead of the intended one. This is particularly dangerous in Windows environments where the current directory is often included in the search path by default.

03Real-World Impact

Successful exploitation can lead to arbitrary code execution with the privileges of the vulnerable application. If the application runs with elevated permissions (such as SYSTEM or administrator), an attacker can gain full control of the system. Even without elevated privileges, an attacker can compromise user data, install malware, or use the compromised application as a pivot point for further attacks on the network.

04Vulnerable & Fixed Patterns

Vulnerable pattern
import subprocess
import os

# Vulnerable: unquoted path with spaces
app_path = "C:\\Program Files\\MyApp\\tool.exe"
user_input = "data.txt"

# If attacker creates C:\Program.exe, it will be executed instead
subprocess.call(app_path + " " + user_input)

Why it's vulnerable:
The path contains spaces and is not quoted. The operating system may interpret C:\Program.exe as the executable and treat the rest as arguments, allowing an attacker to place a malicious Program.exe in C:\ to hijack execution.

Fixed pattern
import subprocess
import os

# Fixed: properly quoted path
app_path = r'"C:\Program Files\MyApp\tool.exe"'
user_input = "data.txt"

# Alternatively, use a list of arguments (preferred)
subprocess.call([r"C:\Program Files\MyApp\tool.exe", user_input])
Vulnerable pattern
<?php
// Vulnerable: unquoted path in shell command
$tool_path = "C:\\Program Files\\MyApp\\tool.exe";
$user_file = $_GET['file'];

// Dangerous: spaces in path are not quoted
exec($tool_path . " " . escapeshellarg($user_file), $output);
?>

Why it's vulnerable:
Although escapeshellarg() protects the user input, the tool path itself is unquoted. If an attacker can write a file to C:\Program.exe, the system will execute that instead of the intended tool.

Fixed pattern
<?php
// Fixed: properly quoted path
$tool_path = '"C:\\Program Files\\MyApp\\tool.exe"';
$user_file = $_GET['file'];

// Safe: path is quoted and user input is escaped
exec($tool_path . " " . escapeshellarg($user_file), $output);
?>

05Prevention Checklist

Always quote file paths that may contain spaces or special characters when constructing command lines or search paths.
Use language-native APIs (such as subprocess.call() with a list argument in Python) that do not require shell parsing, rather than string concatenation.
Avoid relying on the current working directory or system PATH for critical executables; use absolute, fully qualified paths.
Restrict write permissions on directories that appear early in the search path (such as C:\ on Windows or /usr/local/bin on Unix).
Regularly audit application startup code, service configurations, and scheduled tasks for unquoted paths.
On Windows, disable the implicit search of the current directory (.) in PATH if your application does not require it.

06Signs You May Already Be Affected

Check your application logs for unexpected executable files being launched, or for error messages indicating that a tool failed to run correctly. On Windows systems, examine the C:\ root directory and other early PATH locations for suspicious .exe files that do not belong to your organization. Review file creation timestamps in sensitive directories to identify when unauthorized files may have been written.

07Related Recent Vulnerabilities