AWS Lambda

Lambda event data flows to os.system(), enabling arbitrary OS command execution inside the Lambda execution environment.

Lambda event data flows to subprocess with shell=True or as a string command, enabling OS command injection in the Lambda execution environment.

Lambda event data flows to os.spawn*() functions, enabling process execution with attacker-controlled arguments in the Lambda execution environment.

Lambda event data flows to asyncio.create_subprocess_shell(), enabling OS command injection in async Lambda handlers.

Lambda event data flows to asyncio.create_subprocess_exec(), enabling argument injection in async Lambda handlers.

Lambda event data flows to psycopg2 cursor.execute() without parameterization, enabling SQL injection against RDS PostgreSQL or Aurora PostgreSQL backends.

Lambda event data flows to pymssql cursor.execute() without parameterization, enabling SQL injection against RDS SQL Server backends.

Lambda event data flows to PyMySQL cursor.execute() without parameterization, enabling SQL injection against RDS MySQL or Aurora MySQL backends via the pure-Python driver.

Lambda event data flows to SQLAlchemy session.execute() or connection.execute() without bound parameters, enabling SQL injection against any RDS backend.

Lambda event data is used in SQL string construction via f-strings or concatenation before being passed to a database execute call, enabling SQL injection.

Lambda event data flows to a DynamoDB FilterExpression string, enabling expression manipulation in serverless DynamoDB scan and query operations.

Lambda event data is embedded directly in an HTML response body returned to API Gateway, enabling Cross-Site Scripting attacks against end users.

Lambda event data flows to eval() or exec(), enabling arbitrary Python code execution with the full permissions of the Lambda execution environment.

Lambda event data flows to pickle.loads() or pickle.load(), enabling arbitrary Python code execution during deserialization of attacker-controlled bytes.