What is OWASP ASI05 Unexpected Code Execution?
Unexpected code execution is when agent-generated or tool-mediated code runs without adequate sandboxing or review - turning text into RCE through coding agents or unsafe serialization.
What this looks like in production
Cursor-style incidents deleted production data because an agent had credentials and freedom to execute. Generated code bypasses controls written for human developers.
What teams usually do about it
- Sandbox agent-generated code with strict network and filesystem limits.
- Require review before shell execution in production paths.