CWE-454: External Initialization of Trusted Variables or Data Stores
View customized information:
For users who are interested in more notional aspects of a weakness. Example: educators, technical writers, and project/program managers.
For users who are concerned with the practical application and details about the nature of a weakness and how to prevent it from happening. Example: tool developers, security researchers, pen-testers, incident response analysts.
For users who are mapping an issue to CWE/CAPEC IDs, i.e., finding the most appropriate CWE for a specific issue (e.g., a CVE record). Example: tool developers, security researchers.
For users who wish to see all available information for the CWE/CAPEC entry.
For users who want to customize what details are displayed.
×
Edit Custom FilterThe product initializes critical internal variables or data stores using inputs that can be modified by untrusted actors.
A product system should be reluctant to trust variables that have been initialized outside of its trust boundary, especially if they are initialized by users. The variables may have been initialized incorrectly. If an attacker can initialize the variable, then they can influence what the vulnerable system will do.
![]()
![]() ![]()
![]() ![]()
![]()
![]() Languages PHP (Sometimes Prevalent) Class: Not Language-Specific (Undetermined Prevalence) Example 1 In the Java example below, a system property controls the debug level of the application. (bad code)
Example Language: Java
int debugLevel = Integer.getInteger("com.domain.application.debugLevel").intValue();
If an attacker is able to modify the system property, then it may be possible to coax the application into divulging sensitive information by virtue of the fact that additional debug information is printed/exposed as the debug level increases. Example 2 This code checks the HTTP POST request for a debug switch, and enables a debug mode if the switch is set. (bad code)
Example Language: PHP
$debugEnabled = false;
if ($_POST["debug"] == "true"){ $debugEnabled = true; }/.../ function login($username, $password){ if($debugEnabled){ }echo 'Debug Activated'; }phpinfo(); $isAdmin = True; return True; Any user can activate the debug mode, gaining administrator privileges. An attacker may also use the information printed by the phpinfo() function to further exploit the system. . This example also exhibits Information Exposure Through Debug Information (CWE-215)
![]()
Relationship
Overlaps Missing variable initialization, especially in PHP.
Applicable Platform This is often found in PHP due to register_globals and the common practice of storing library/include files under the web document root so that they are available using a direct request.
More information is available — Please edit the custom filter or select a different filter. |
Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2025, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation. |