Common Weakness Enumeration

A Community-Developed List of Software & Hardware Weakness Types

CWE Top 25 Most Dangerous Weaknesses
Home > CWE List > CWE- Individual Dictionary Definition (4.4)  

CWE-1125: Excessive Attack Surface

Weakness ID: 1125
Abstraction: Base
Structure: Simple
Status: Incomplete
Presentation Filter:
+ Description
The product has an attack surface whose quantitative measurement exceeds a desirable maximum.
+ Extended Description

Originating from software security, an "attack surface" measure typically reflects the number of input points and output points that can be utilized by an untrusted party, i.e. a potential attacker. A larger attack surface provides more places to attack, and more opportunities for developers to introduce weaknesses. In some cases, this measure may reflect other aspects of quality besides security; e.g., a product with many inputs and outputs may require a large number of tests in order to improve code coverage.

+ Relationships

The table(s) below shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.

+ Relevant to the view "Research Concepts" (CWE-1000)
ChildOfClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.1120Excessive Code Complexity
+ Relevant to the view "Software Development" (CWE-699)
MemberOfCategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic.1226Complexity Issues
+ Weakness Ordinalities
(where the weakness is a quality issue that might indirectly make it easier to introduce security-relevant weaknesses or make them more difficult to detect)
+ References
[REF-966] Pratyusa Manadhata. "An Attack Surface Metric". 2008-11. <>.
[REF-967] Pratyusa Manadhata and Jeannette M. Wing. "Measuring a System's Attack Surface". 2004. <>.
+ Content History
+ Submissions
Submission DateSubmitterOrganization
2018-07-02CWE Content TeamMITRE
Entry derived from Common Quality Enumeration (CQE) Draft 0.9.
+ Modifications
Modification DateModifierOrganization
2020-02-24CWE Content TeamMITRE
updated Relationships
More information is available — Please select a different filter.
Page Last Updated: March 15, 2021