CWE - VIEW SLICE: CWE-1450: Weaknesses in OWASP Top Ten RC1 (2025) (4.19.1)

CWE VIEW: Weaknesses in OWASP Top Ten RC1 (2025)

View ID: 1450

Vulnerability Mapping: PROHIBITED This CWE ID must not be used to map to real-world vulnerabilities
Type: Graph

Downloads: Booklet | CSV | XML

Objective

CWE entries in this view (graph) are associated with the first release candidate (RC1) of the OWASP Top Ten, as released in 2025.

Audience

Stakeholder	Description
Software Developers	This view outlines the most important issues as identified by the OWASP Top Ten (2025 RC1), providing a good starting point for web application developers who want to code more securely.
Product Customers	This view outlines the most important issues as identified by the OWASP Top Ten (2025 RC1), providing product customers with a way of asking their software development teams to follow minimum expectations for secure code.
Educators	Since the OWASP Top Ten covers the most frequently encountered issues, this view can be used by educators as training material for students.

Relationships

div.collapseblock { display:inline }

The following graph shows the tree-like relationships between weaknesses that exist at different levels of abstraction. At the highest level, categories and pillars exist to group weaknesses. Categories (which are not technically weaknesses) are special CWE entries used to group weaknesses that share a common characteristic. Pillars are weaknesses that are described in the most abstract fashion. Below these top-level entries are weaknesses are varying levels of abstraction. Classes are still very abstract, typically independent of any specific language or technology. Base level weaknesses are used to present a more specific type of weakness. A variant is a weakness that is described at a very low level of detail, typically limited to a specific language or technology. A chain is a set of weaknesses that must be reachable consecutively in order to produce an exploitable vulnerability. While a composite is a set of weaknesses that must all be present simultaneously in order to produce an exploitable vulnerability.

Show Details:

Expand All | Collapse All

1450 - Weaknesses in OWASP Top Ten RC1 (2025)

Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2025 Category A01:2025 - Broken Access Control - (1436)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1436 (OWASP Top Ten 2025 Category A01:2025 - Broken Access Control)

Weaknesses in this category are related to the A01 category "Broken Access Control" in the OWASP Top Ten 2025.

Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Sensitive Cookie with Improper SameSite Attribute - (1275)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1436 (OWASP Top Ten 2025 Category A01:2025 - Broken Access Control) > 1275 (Sensitive Cookie with Improper SameSite Attribute)

The SameSite attribute for sensitive cookies is not set, or an insecure value is used.

Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Exposure of Sensitive Information to an Unauthorized Actor - (200)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1436 (OWASP Top Ten 2025 Category A01:2025 - Broken Access Control) > 200 (Exposure of Sensitive Information to an Unauthorized Actor)

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Information Disclosure Information Leak

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Insertion of Sensitive Information Into Sent Data - (201)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1436 (OWASP Top Ten 2025 Category A01:2025 - Broken Access Control) > 201 (Insertion of Sensitive Information Into Sent Data)

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Storage of File with Sensitive Data Under Web Root - (219)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1436 (OWASP Top Ten 2025 Category A01:2025 - Broken Access Control) > 219 (Storage of File with Sensitive Data Under Web Root)

The product stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - (22)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1436 (OWASP Top Ten 2025 Category A01:2025 - Broken Access Control) > 22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'))

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Directory traversal Path traversal

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1436 (OWASP Top Ten 2025 Category A01:2025 - Broken Access Control) > 23 (Relative Path Traversal)

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. Zip Slip

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1436 (OWASP Top Ten 2025 Category A01:2025 - Broken Access Control) > 276 (Incorrect Default Permissions)

During installation, installed file permissions are set to allow anyone to modify those files.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1436 (OWASP Top Ten 2025 Category A01:2025 - Broken Access Control) > 281 (Improper Preservation of Permissions)

The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1436 (OWASP Top Ten 2025 Category A01:2025 - Broken Access Control) > 282 (Improper Ownership Management)

The product assigns the wrong ownership, or does not properly verify the ownership, of an object or resource.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1436 (OWASP Top Ten 2025 Category A01:2025 - Broken Access Control) > 283 (Unverified Ownership)

The product does not properly verify that a critical resource is owned by the proper entity.

Pillar - a weakness that is the most abstract type of weakness and represents a theme for all class/base/variant weaknesses related to it. A Pillar is different from a Category as a Pillar is still technically a type of weakness that describes a mistake, while a Category represents a common characteristic used to group related things. Improper Access Control - (284)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1436 (OWASP Top Ten 2025 Category A01:2025 - Broken Access Control) > 284 (Improper Access Control)

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. Authorization

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1436 (OWASP Top Ten 2025 Category A01:2025 - Broken Access Control) > 285 (Improper Authorization)

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. AuthZ

Composite - a Compound Element that consists of two or more distinct weaknesses, in which all weaknesses must be present at the same time in order for a potential vulnerability to arise. Removing any of the weaknesses eliminates or sharply reduces the risk. One weakness, X, can be "broken down" into component weaknesses Y and Z. There can be cases in which one weakness might not be essential to a composite, but changes the nature of the composite when it becomes a vulnerability. Cross-Site Request Forgery (CSRF) - (352)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1436 (OWASP Top Ten 2025 Category A01:2025 - Broken Access Control) > 352 (Cross-Site Request Forgery (CSRF))

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. Session Riding Cross Site Reference Forgery XSRF CSRF

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Exposure of Private Personal Information to an Unauthorized Actor - (359)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1436 (OWASP Top Ten 2025 Category A01:2025 - Broken Access Control) > 359 (Exposure of Private Personal Information to an Unauthorized Actor)

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected. Privacy violation Privacy leak / Privacy leakage PPI PII PHI

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1436 (OWASP Top Ten 2025 Category A01:2025 - Broken Access Control) > 36 (Absolute Path Traversal)

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1436 (OWASP Top Ten 2025 Category A01:2025 - Broken Access Control) > 377 (Insecure Temporary File)

Creating and using insecure temporary files can leave application and system data vulnerable to attack.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Creation of Temporary File in Directory with Insecure Permissions - (379)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1436 (OWASP Top Ten 2025 Category A01:2025 - Broken Access Control) > 379 (Creation of Temporary File in Directory with Insecure Permissions)

The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.

Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Transmission of Private Resources into a New Sphere ('Resource Leak') - (402)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1436 (OWASP Top Ten 2025 Category A01:2025 - Broken Access Control) > 402 (Transmission of Private Resources into a New Sphere ('Resource Leak'))

The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product. Resource Leak

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1436 (OWASP Top Ten 2025 Category A01:2025 - Broken Access Control) > 424 (Improper Protection of Alternate Path)

The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1436 (OWASP Top Ten 2025 Category A01:2025 - Broken Access Control) > 425 (Direct Request ('Forced Browsing'))

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files. forced browsing

Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Unintended Proxy or Intermediary ('Confused Deputy') - (441)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1436 (OWASP Top Ten 2025 Category A01:2025 - Broken Access Control) > 441 (Unintended Proxy or Intermediary ('Confused Deputy'))

The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor. Confused Deputy

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Exposure of Sensitive System Information to an Unauthorized Control Sphere - (497)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1436 (OWASP Top Ten 2025 Category A01:2025 - Broken Access Control) > 497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere)

The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1436 (OWASP Top Ten 2025 Category A01:2025 - Broken Access Control) > 538 (Insertion of Sensitive Information into Externally-Accessible File or Directory)

The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Inclusion of Sensitive Information in Source Code - (540)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1436 (OWASP Top Ten 2025 Category A01:2025 - Broken Access Control) > 540 (Inclusion of Sensitive Information in Source Code)

Source code on a web server or repository often contains sensitive information and should generally not be accessible to users.

Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Exposure of Information Through Directory Listing - (548)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1436 (OWASP Top Ten 2025 Category A01:2025 - Broken Access Control) > 548 (Exposure of Information Through Directory Listing)

The product inappropriately exposes a directory listing with an index of all the resources located inside of the directory.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Files or Directories Accessible to External Parties - (552)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1436 (OWASP Top Ten 2025 Category A01:2025 - Broken Access Control) > 552 (Files or Directories Accessible to External Parties)

The product makes files or directories accessible to unauthorized actors, even though they should not be.

Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Authorization Bypass Through User-Controlled SQL Primary Key - (566)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1436 (OWASP Top Ten 2025 Category A01:2025 - Broken Access Control) > 566 (Authorization Bypass Through User-Controlled SQL Primary Key)

The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Link Resolution Before File Access ('Link Following') - (59)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1436 (OWASP Top Ten 2025 Category A01:2025 - Broken Access Control) > 59 (Improper Link Resolution Before File Access ('Link Following'))

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. insecure temporary file Zip Slip

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. URL Redirection to Untrusted Site ('Open Redirect') - (601)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1436 (OWASP Top Ten 2025 Category A01:2025 - Broken Access Control) > 601 (URL Redirection to Untrusted Site ('Open Redirect'))

The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. Open Redirect Cross-site Redirect Cross-domain Redirect Unvalidated Redirect Drive-by download

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1436 (OWASP Top Ten 2025 Category A01:2025 - Broken Access Control) > 61 (UNIX Symbolic Link (Symlink) Following)

The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files. Symlink following symlink vulnerability

Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Inclusion of Sensitive Information in Source Code Comments - (615)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1436 (OWASP Top Ten 2025 Category A01:2025 - Broken Access Control) > 615 (Inclusion of Sensitive Information in Source Code Comments)

While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links which were not meant to be browsed by users, old code fragments, etc.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Authorization Bypass Through User-Controlled Key - (639)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1436 (OWASP Top Ten 2025 Category A01:2025 - Broken Access Control) > 639 (Authorization Bypass Through User-Controlled Key)

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. Insecure Direct Object Reference / IDOR Broken Object Level Authorization / BOLA Horizontal Authorization

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1436 (OWASP Top Ten 2025 Category A01:2025 - Broken Access Control) > 65 (Windows Hard Link)

The product, when opening a file or directory, does not sufficiently handle when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1436 (OWASP Top Ten 2025 Category A01:2025 - Broken Access Control) > 668 (Exposure of Resource to Wrong Sphere)

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Incorrect Permission Assignment for Critical Resource - (732)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1436 (OWASP Top Ten 2025 Category A01:2025 - Broken Access Control) > 732 (Incorrect Permission Assignment for Critical Resource)

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1436 (OWASP Top Ten 2025 Category A01:2025 - Broken Access Control) > 749 (Exposed Dangerous Method or Function)

The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1436 (OWASP Top Ten 2025 Category A01:2025 - Broken Access Control) > 862 (Missing Authorization)

The product does not perform an authorization check when an actor attempts to access a resource or perform an action. AuthZ

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1436 (OWASP Top Ten 2025 Category A01:2025 - Broken Access Control) > 863 (Incorrect Authorization)

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. AuthZ

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1436 (OWASP Top Ten 2025 Category A01:2025 - Broken Access Control) > 918 (Server-Side Request Forgery (SSRF))

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. XSPA SSRF

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1436 (OWASP Top Ten 2025 Category A01:2025 - Broken Access Control) > 922 (Insecure Storage of Sensitive Information)

The product stores sensitive information without properly limiting read or write access by unauthorized actors.

Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2025 Category A02:2025 - Security Misconfiguration - (1437)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1437 (OWASP Top Ten 2025 Category A02:2025 - Security Misconfiguration)

Weaknesses in this category are related to the A02 category "Security Misconfiguration" in the OWASP Top Ten 2025.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1437 (OWASP Top Ten 2025 Category A02:2025 - Security Misconfiguration) > 1004 (Sensitive Cookie Without 'HttpOnly' Flag)

The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.

Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. ASP.NET Misconfiguration: Creating Debug Binary - (11)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1437 (OWASP Top Ten 2025 Category A02:2025 - Security Misconfiguration) > 11 (ASP.NET Misconfiguration: Creating Debug Binary)

Debugging messages help attackers learn about the system and plan a form of attack.

Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. ASP.NET Misconfiguration: Improper Model Validation - (1174)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1437 (OWASP Top Ten 2025 Category A02:2025 - Security Misconfiguration) > 1174 (ASP.NET Misconfiguration: Improper Model Validation)

The ASP.NET application does not use, or incorrectly uses, the model validation framework.

Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. ASP.NET Misconfiguration: Password in Configuration File - (13)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1437 (OWASP Top Ten 2025 Category A02:2025 - Security Misconfiguration) > 13 (ASP.NET Misconfiguration: Password in Configuration File)

Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attackers.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. External Control of System or Configuration Setting - (15)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1437 (OWASP Top Ten 2025 Category A02:2025 - Security Misconfiguration) > 15 (External Control of System or Configuration Setting)

One or more system settings or configuration elements can be externally controlled by a user.

Category - a CWE entry that contains a set of other entries that share a common characteristic. Configuration - (16)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1437 (OWASP Top Ten 2025 Category A02:2025 - Security Misconfiguration) > 16 (Configuration)

Weaknesses in this category are typically introduced during the configuration of the software.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1437 (OWASP Top Ten 2025 Category A02:2025 - Security Misconfiguration) > 260 (Password in Configuration File)

The product stores a password in a configuration file that might be accessible to actors who do not know the password.

Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Cleartext Storage of Sensitive Information in a Cookie - (315)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1437 (OWASP Top Ten 2025 Category A02:2025 - Security Misconfiguration) > 315 (Cleartext Storage of Sensitive Information in a Cookie)

The product stores sensitive information in cleartext in a cookie.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1437 (OWASP Top Ten 2025 Category A02:2025 - Security Misconfiguration) > 489 (Active Debug Code)

The product is released with debugging code still enabled or active. Leftover debug code

Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. J2EE Misconfiguration: Data Transmission Without Encryption - (5)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1437 (OWASP Top Ten 2025 Category A02:2025 - Security Misconfiguration) > 5 (J2EE Misconfiguration: Data Transmission Without Encryption)

Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted.

Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Cleartext Storage of Sensitive Information in an Environment Variable - (526)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1437 (OWASP Top Ten 2025 Category A02:2025 - Security Misconfiguration) > 526 (Cleartext Storage of Sensitive Information in an Environment Variable)

The product uses an environment variable to store unencrypted sensitive information.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Use of Hard-coded, Security-relevant Constants - (547)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1437 (OWASP Top Ten 2025 Category A02:2025 - Security Misconfiguration) > 547 (Use of Hard-coded, Security-relevant Constants)

The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Restriction of XML External Entity Reference - (611)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1437 (OWASP Top Ten 2025 Category A02:2025 - Security Misconfiguration) > 611 (Improper Restriction of XML External Entity Reference)

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. XXE

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1437 (OWASP Top Ten 2025 Category A02:2025 - Security Misconfiguration) > 614 (Sensitive Cookie in HTTPS Session Without 'Secure' Attribute)

The Secure attribute for sensitive cookies in HTTPS sessions is not set.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') - (776)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1437 (OWASP Top Ten 2025 Category A02:2025 - Security Misconfiguration) > 776 (Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion'))

The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities. XEE Billion Laughs Attack XML Bomb

Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Permissive Cross-domain Security Policy with Untrusted Domains - (942)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1437 (OWASP Top Ten 2025 Category A02:2025 - Security Misconfiguration) > 942 (Permissive Cross-domain Security Policy with Untrusted Domains)

The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.

Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2025 Category A03:2025 - Software Supply Chain Failures - (1438)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1438 (OWASP Top Ten 2025 Category A03:2025 - Software Supply Chain Failures)

Weaknesses in this category are related to the A03 category "Software Supply Chain Failures" in the OWASP Top Ten 2025.

Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities - (1035)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1438 (OWASP Top Ten 2025 Category A03:2025 - Software Supply Chain Failures) > 1035 (OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities)

Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Use of Unmaintained Third Party Components - (1104)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1438 (OWASP Top Ten 2025 Category A03:2025 - Software Supply Chain Failures) > 1104 (Use of Unmaintained Third Party Components)

The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original developer.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Reliance on Component That is Not Updateable - (1329)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1438 (OWASP Top Ten 2025 Category A03:2025 - Software Supply Chain Failures) > 1329 (Reliance on Component That is Not Updateable)

The product contains a component that cannot be updated or patched in order to remove vulnerabilities or significant bugs.

Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Dependency on Vulnerable Third-Party Component - (1395)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1438 (OWASP Top Ten 2025 Category A03:2025 - Software Supply Chain Failures) > 1395 (Dependency on Vulnerable Third-Party Component)

The product has a dependency on a third-party component that contains one or more known vulnerabilities.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1438 (OWASP Top Ten 2025 Category A03:2025 - Software Supply Chain Failures) > 447 (Unimplemented or Unsupported Feature in UI)

A UI function for a security feature appears to be supported and gives feedback to the user that suggests that it is supported, but the underlying functionality is not implemented.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1438 (OWASP Top Ten 2025 Category A03:2025 - Software Supply Chain Failures) > 477 (Use of Obsolete Function)

The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained.

Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2025 Category A04:2025 - Cryptographic Failures - (1439)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1439 (OWASP Top Ten 2025 Category A04:2025 - Cryptographic Failures)

Weaknesses in this category are related to the A04 category "Cryptographic Failures" in the OWASP Top Ten 2025.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Use of a Cryptographic Primitive with a Risky Implementation - (1240)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1439 (OWASP Top Ten 2025 Category A04:2025 - Cryptographic Failures) > 1240 (Use of a Cryptographic Primitive with a Risky Implementation)

To fulfill the need for a cryptographic primitive, the product implements a cryptographic algorithm using a non-standard, unproven, or disallowed/non-compliant cryptographic implementation.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Use of Predictable Algorithm in Random Number Generator - (1241)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1439 (OWASP Top Ten 2025 Category A04:2025 - Cryptographic Failures) > 1241 (Use of Predictable Algorithm in Random Number Generator)

The device uses an algorithm that is predictable and generates a pseudo-random number.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1439 (OWASP Top Ten 2025 Category A04:2025 - Cryptographic Failures) > 261 (Weak Encoding for Password)

Obscuring a password with a trivial encoding does not protect the password.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Following of a Certificate's Chain of Trust - (296)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1439 (OWASP Top Ten 2025 Category A04:2025 - Cryptographic Failures) > 296 (Improper Following of a Certificate's Chain of Trust)

The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Cleartext Transmission of Sensitive Information - (319)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1439 (OWASP Top Ten 2025 Category A04:2025 - Cryptographic Failures) > 319 (Cleartext Transmission of Sensitive Information)

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Category - a CWE entry that contains a set of other entries that share a common characteristic. Key Management Errors - (320)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1439 (OWASP Top Ten 2025 Category A04:2025 - Cryptographic Failures) > 320 (Key Management Errors)

Weaknesses in this category are related to errors in the management of cryptographic keys.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1439 (OWASP Top Ten 2025 Category A04:2025 - Cryptographic Failures) > 321 (Use of Hard-coded Cryptographic Key)

The product uses a hard-coded, unchangeable cryptographic key.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1439 (OWASP Top Ten 2025 Category A04:2025 - Cryptographic Failures) > 322 (Key Exchange without Entity Authentication)

The product performs a key exchange with an actor without verifying the identity of that actor.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1439 (OWASP Top Ten 2025 Category A04:2025 - Cryptographic Failures) > 323 (Reusing a Nonce, Key Pair in Encryption)

Nonces should be used for the present occasion and only once.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1439 (OWASP Top Ten 2025 Category A04:2025 - Cryptographic Failures) > 324 (Use of a Key Past its Expiration Date)

The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1439 (OWASP Top Ten 2025 Category A04:2025 - Cryptographic Failures) > 325 (Missing Cryptographic Step)

The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1439 (OWASP Top Ten 2025 Category A04:2025 - Cryptographic Failures) > 326 (Inadequate Encryption Strength)

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Use of a Broken or Risky Cryptographic Algorithm - (327)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1439 (OWASP Top Ten 2025 Category A04:2025 - Cryptographic Failures) > 327 (Use of a Broken or Risky Cryptographic Algorithm)

The product uses a broken or risky cryptographic algorithm or protocol.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1439 (OWASP Top Ten 2025 Category A04:2025 - Cryptographic Failures) > 328 (Use of Weak Hash)

The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1439 (OWASP Top Ten 2025 Category A04:2025 - Cryptographic Failures) > 329 (Generation of Predictable IV with CBC Mode)

The product generates and uses a predictable initialization Vector (IV) with Cipher Block Chaining (CBC) Mode, which causes algorithms to be susceptible to dictionary attacks when they are encrypted under the same key.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1439 (OWASP Top Ten 2025 Category A04:2025 - Cryptographic Failures) > 330 (Use of Insufficiently Random Values)

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1439 (OWASP Top Ten 2025 Category A04:2025 - Cryptographic Failures) > 331 (Insufficient Entropy)

The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1439 (OWASP Top Ten 2025 Category A04:2025 - Cryptographic Failures) > 332 (Insufficient Entropy in PRNG)

The lack of entropy available for, or used by, a Pseudo-Random Number Generator (PRNG) can be a stability and security threat.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1439 (OWASP Top Ten 2025 Category A04:2025 - Cryptographic Failures) > 334 (Small Space of Random Values)

The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) - (335)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1439 (OWASP Top Ten 2025 Category A04:2025 - Cryptographic Failures) > 335 (Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG))

The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.

Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Same Seed in Pseudo-Random Number Generator (PRNG) - (336)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1439 (OWASP Top Ten 2025 Category A04:2025 - Cryptographic Failures) > 336 (Same Seed in Pseudo-Random Number Generator (PRNG))

A Pseudo-Random Number Generator (PRNG) uses the same seed each time the product is initialized.

Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Predictable Seed in Pseudo-Random Number Generator (PRNG) - (337)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1439 (OWASP Top Ten 2025 Category A04:2025 - Cryptographic Failures) > 337 (Predictable Seed in Pseudo-Random Number Generator (PRNG))

A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) - (338)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1439 (OWASP Top Ten 2025 Category A04:2025 - Cryptographic Failures) > 338 (Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG))

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Generation of Predictable Numbers or Identifiers - (340)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1439 (OWASP Top Ten 2025 Category A04:2025 - Cryptographic Failures) > 340 (Generation of Predictable Numbers or Identifiers)

The product uses a scheme that generates numbers or identifiers that are more predictable than required.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Predictable Exact Value from Previous Values - (342)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1439 (OWASP Top Ten 2025 Category A04:2025 - Cryptographic Failures) > 342 (Predictable Exact Value from Previous Values)

An exact value or random number can be precisely predicted by observing previous values.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Verification of Cryptographic Signature - (347)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1439 (OWASP Top Ten 2025 Category A04:2025 - Cryptographic Failures) > 347 (Improper Verification of Cryptographic Signature)

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1439 (OWASP Top Ten 2025 Category A04:2025 - Cryptographic Failures) > 523 (Unprotected Transport of Credentials)

Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') - (757)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1439 (OWASP Top Ten 2025 Category A04:2025 - Cryptographic Failures) > 757 (Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade'))

A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1439 (OWASP Top Ten 2025 Category A04:2025 - Cryptographic Failures) > 759 (Use of a One-Way Hash without a Salt)

The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input.

Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Use of a One-Way Hash with a Predictable Salt - (760)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1439 (OWASP Top Ten 2025 Category A04:2025 - Cryptographic Failures) > 760 (Use of a One-Way Hash with a Predictable Salt)

The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as part of the input.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1439 (OWASP Top Ten 2025 Category A04:2025 - Cryptographic Failures) > 780 (Use of RSA Algorithm without OAEP)

The product uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Use of Password Hash With Insufficient Computational Effort - (916)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1439 (OWASP Top Ten 2025 Category A04:2025 - Cryptographic Failures) > 916 (Use of Password Hash With Insufficient Computational Effort)

The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2025 Category A05:2025 - Injection - (1440)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1440 (OWASP Top Ten 2025 Category A05:2025 - Injection)

Weaknesses in this category are related to the A05 category "Injection" in the OWASP Top Ten 2025.

Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Struts: Incomplete validate() Method Definition - (103)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1440 (OWASP Top Ten 2025 Category A05:2025 - Injection) > 103 (Struts: Incomplete validate() Method Definition)

The product has a validator form that either does not define a validate() method, or defines a validate() method but does not call super.validate().

Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Struts: Form Bean Does Not Extend Validation Class - (104)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1440 (OWASP Top Ten 2025 Category A05:2025 - Injection) > 104 (Struts: Form Bean Does Not Extend Validation Class)

If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input validation.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1440 (OWASP Top Ten 2025 Category A05:2025 - Injection) > 112 (Missing XML Validation)

The product accepts XML from an untrusted source but does not validate the XML against the proper schema.

Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') - (113)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1440 (OWASP Top Ten 2025 Category A05:2025 - Injection) > 113 (Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting'))

The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers. HTTP Request Splitting HTTP Response Splitting

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1440 (OWASP Top Ten 2025 Category A05:2025 - Injection) > 114 (Process Control)

Executing commands or loading libraries from an untrusted source or in an untrusted environment can cause an application to execute malicious commands (and payloads) on behalf of an attacker.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1440 (OWASP Top Ten 2025 Category A05:2025 - Injection) > 115 (Misinterpretation of Input)

The product misinterprets an input, whether from an attacker or another product, in a security-relevant fashion.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1440 (OWASP Top Ten 2025 Category A05:2025 - Injection) > 116 (Improper Encoding or Escaping of Output)

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. Output Sanitization Output Validation Output Encoding

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1440 (OWASP Top Ten 2025 Category A05:2025 - Injection) > 129 (Improper Validation of Array Index)

The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array. out-of-bounds array index index-out-of-range array index underflow

Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Improper Handling of Invalid Use of Special Elements - (159)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1440 (OWASP Top Ten 2025 Category A05:2025 - Injection) > 159 (Improper Handling of Invalid Use of Special Elements)

The product does not properly filter, remove, quote, or otherwise manage the invalid use of special elements in user-controlled input, which could cause adverse effect on its behavior and integrity.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1440 (OWASP Top Ten 2025 Category A05:2025 - Injection) > 20 (Improper Input Validation)

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') - (470)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1440 (OWASP Top Ten 2025 Category A05:2025 - Injection) > 470 (Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection'))

The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code. Reflection Injection

Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Critical Public Variable Without Final Modifier - (493)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1440 (OWASP Top Ten 2025 Category A05:2025 - Injection) > 493 (Critical Public Variable Without Final Modifier)

The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1440 (OWASP Top Ten 2025 Category A05:2025 - Injection) > 500 (Public Static Field Not Marked Final)

An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1440 (OWASP Top Ten 2025 Category A05:2025 - Injection) > 564 (SQL Injection: Hibernate)

Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.

Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Externally Controlled Reference to a Resource in Another Sphere - (610)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1440 (OWASP Top Ten 2025 Category A05:2025 - Injection) > 610 (Externally Controlled Reference to a Resource in Another Sphere)

The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Data within XPath Expressions ('XPath Injection') - (643)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1440 (OWASP Top Ten 2025 Category A05:2025 - Injection) > 643 (Improper Neutralization of Data within XPath Expressions ('XPath Injection'))

The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.

Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of HTTP Headers for Scripting Syntax - (644)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1440 (OWASP Top Ten 2025 Category A05:2025 - Injection) > 644 (Improper Neutralization of HTTP Headers for Scripting Syntax)

The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.

Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') - (74)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1440 (OWASP Top Ten 2025 Category A05:2025 - Injection) > 74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'))

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Equivalent Special Elements - (76)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1440 (OWASP Top Ten 2025 Category A05:2025 - Injection) > 76 (Improper Neutralization of Equivalent Special Elements)

The product correctly neutralizes certain special elements, but it improperly neutralizes equivalent special elements.

Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Improper Neutralization of Special Elements used in a Command ('Command Injection') - (77)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1440 (OWASP Top Ten 2025 Category A05:2025 - Injection) > 77 (Improper Neutralization of Special Elements used in a Command ('Command Injection'))

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. Command injection

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - (78)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1440 (OWASP Top Ten 2025 Category A05:2025 - Injection) > 78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'))

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. Shell injection Shell metacharacters OS Command Injection

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - (79)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1440 (OWASP Top Ten 2025 Category A05:2025 - Injection) > 79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. XSS HTML Injection Reflected XSS / Non-Persistent XSS / Type 1 XSS Stored XSS / Persistent XSS / Type 2 XSS DOM-Based XSS / Type 0 XSS CSS

Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) - (80)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1440 (OWASP Top Ten 2025 Category A05:2025 - Injection) > 80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS))

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Script in Attributes in a Web Page - (83)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1440 (OWASP Top Ten 2025 Category A05:2025 - Injection) > 83 (Improper Neutralization of Script in Attributes in a Web Page)

The product does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.

Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Invalid Characters in Identifiers in Web Pages - (86)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1440 (OWASP Top Ten 2025 Category A05:2025 - Injection) > 86 (Improper Neutralization of Invalid Characters in Identifiers in Web Pages)

The product does not neutralize or incorrectly neutralizes invalid characters or byte sequences in the middle of tag names, URI schemes, and other identifiers.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') - (88)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1440 (OWASP Top Ten 2025 Category A05:2025 - Injection) > 88 (Improper Neutralization of Argument Delimiters in a Command ('Argument Injection'))

The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - (89)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1440 (OWASP Top Ten 2025 Category A05:2025 - Injection) > 89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. SQL injection SQLi

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') - (90)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1440 (OWASP Top Ten 2025 Category A05:2025 - Injection) > 90 (Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection'))

The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1440 (OWASP Top Ten 2025 Category A05:2025 - Injection) > 91 (XML Injection (aka Blind XPath Injection))

The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') - (917)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1440 (OWASP Top Ten 2025 Category A05:2025 - Injection) > 917 (Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection'))

The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed. EL Injection

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of CRLF Sequences ('CRLF Injection') - (93)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1440 (OWASP Top Ten 2025 Category A05:2025 - Injection) > 93 (Improper Neutralization of CRLF Sequences ('CRLF Injection'))

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Control of Generation of Code ('Code Injection') - (94)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1440 (OWASP Top Ten 2025 Category A05:2025 - Injection) > 94 (Improper Control of Generation of Code ('Code Injection'))

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. Code Injection

Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') - (95)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1440 (OWASP Top Ten 2025 Category A05:2025 - Injection) > 95 (Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'))

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') - (96)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1440 (OWASP Top Ten 2025 Category A05:2025 - Injection) > 96 (Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection'))

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template.

Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Server-Side Includes (SSI) Within a Web Page - (97)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1440 (OWASP Top Ten 2025 Category A05:2025 - Injection) > 97 (Improper Neutralization of Server-Side Includes (SSI) Within a Web Page)

The product generates a web page, but does not neutralize or incorrectly neutralizes user-controllable input that could be interpreted as a server-side include (SSI) directive.

Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') - (98)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1440 (OWASP Top Ten 2025 Category A05:2025 - Injection) > 98 (Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion'))

The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. Remote file include RFI Local file inclusion

Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Improper Control of Resource Identifiers ('Resource Injection') - (99)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1440 (OWASP Top Ten 2025 Category A05:2025 - Injection) > 99 (Improper Control of Resource Identifiers ('Resource Injection'))

The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. Insecure Direct Object Reference

Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2025 Category A06:2025 - Insecure Design - (1441)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1441 (OWASP Top Ten 2025 Category A06:2025 - Insecure Design)

Weaknesses in this category are related to the A06 category "Insecure Design" in the OWASP Top Ten 2025.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Restriction of Rendered UI Layers or Frames - (1021)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1441 (OWASP Top Ten 2025 Category A06:2025 - Insecure Design) > 1021 (Improper Restriction of Rendered UI Layers or Frames)

The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. Clickjacking UI Redress Attack Tapjacking

Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Use of Web Link to Untrusted Target with window.opener Access - (1022)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1441 (OWASP Top Ten 2025 Category A06:2025 - Insecure Design) > 1022 (Use of Web Link to Untrusted Target with window.opener Access)

The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying security-critical properties of the window.opener object, such as the location property. tabnabbing

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1441 (OWASP Top Ten 2025 Category A06:2025 - Insecure Design) > 1125 (Excessive Attack Surface)

The product has an attack surface whose quantitative measurement exceeds a desirable maximum.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1441 (OWASP Top Ten 2025 Category A06:2025 - Insecure Design) > 183 (Permissive List of Allowed Inputs)

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses. Allowlist / Allow List Safelist / Safe List Whitelist / White List

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1441 (OWASP Top Ten 2025 Category A06:2025 - Insecure Design) > 256 (Plaintext Storage of a Password)

The product stores a password in plaintext within resources such as memory or files.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1441 (OWASP Top Ten 2025 Category A06:2025 - Insecure Design) > 266 (Incorrect Privilege Assignment)

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1441 (OWASP Top Ten 2025 Category A06:2025 - Insecure Design) > 269 (Improper Privilege Management)

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1441 (OWASP Top Ten 2025 Category A06:2025 - Insecure Design) > 286 (Incorrect User Management)

The product does not properly manage a user within its environment.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1441 (OWASP Top Ten 2025 Category A06:2025 - Insecure Design) > 311 (Missing Encryption of Sensitive Data)

The product does not encrypt sensitive or critical information before storage or transmission.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1441 (OWASP Top Ten 2025 Category A06:2025 - Insecure Design) > 312 (Cleartext Storage of Sensitive Information)

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1441 (OWASP Top Ten 2025 Category A06:2025 - Insecure Design) > 313 (Cleartext Storage in a File or on Disk)

The product stores sensitive information in cleartext in a file, or on disk.

Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Cleartext Storage of Sensitive Information in Memory - (316)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1441 (OWASP Top Ten 2025 Category A06:2025 - Insecure Design) > 316 (Cleartext Storage of Sensitive Information in Memory)

The product stores sensitive information in cleartext in memory.

Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') - (362)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1441 (OWASP Top Ten 2025 Category A06:2025 - Insecure Design) > 362 (Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition'))

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently. Race Condition

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1441 (OWASP Top Ten 2025 Category A06:2025 - Insecure Design) > 382 (J2EE Bad Practices: Use of System.exit())

A J2EE application uses System.exit(), which also shuts down its container.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1441 (OWASP Top Ten 2025 Category A06:2025 - Insecure Design) > 419 (Unprotected Primary Channel)

The product uses a primary channel for administration or restricted functionality, but it does not properly protect the channel.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Unrestricted Upload of File with Dangerous Type - (434)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1441 (OWASP Top Ten 2025 Category A06:2025 - Insecure Design) > 434 (Unrestricted Upload of File with Dangerous Type)

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. Unrestricted File Upload

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1441 (OWASP Top Ten 2025 Category A06:2025 - Insecure Design) > 436 (Interpretation Conflict)

Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') - (444)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1441 (OWASP Top Ten 2025 Category A06:2025 - Insecure Design) > 444 (Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'))

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. HTTP Request Smuggling HTTP Response Smuggling HTTP Smuggling

Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. User Interface (UI) Misrepresentation of Critical Information - (451)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1441 (OWASP Top Ten 2025 Category A06:2025 - Insecure Design) > 451 (User Interface (UI) Misrepresentation of Critical Information)

The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. External Initialization of Trusted Variables or Data Stores - (454)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1441 (OWASP Top Ten 2025 Category A06:2025 - Insecure Design) > 454 (External Initialization of Trusted Variables or Data Stores)

The product initializes critical internal variables or data stores using inputs that can be modified by untrusted actors.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. External Control of Assumed-Immutable Web Parameter - (472)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1441 (OWASP Top Ten 2025 Category A06:2025 - Insecure Design) > 472 (External Control of Assumed-Immutable Web Parameter)

The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields. Assumed-Immutable Parameter Tampering

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1441 (OWASP Top Ten 2025 Category A06:2025 - Insecure Design) > 501 (Trust Boundary Violation)

The product mixes trusted and untrusted data in the same data structure or structured message.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1441 (OWASP Top Ten 2025 Category A06:2025 - Insecure Design) > 522 (Insufficiently Protected Credentials)

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Use of Web Browser Cache Containing Sensitive Information - (525)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1441 (OWASP Top Ten 2025 Category A06:2025 - Insecure Design) > 525 (Use of Web Browser Cache Containing Sensitive Information)

The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.

Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Use of Persistent Cookies Containing Sensitive Information - (539)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1441 (OWASP Top Ten 2025 Category A06:2025 - Insecure Design) > 539 (Use of Persistent Cookies Containing Sensitive Information)

The web application uses persistent cookies, but the cookies contain sensitive information.

Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Use of GET Request Method With Sensitive Query Strings - (598)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1441 (OWASP Top Ten 2025 Category A06:2025 - Insecure Design) > 598 (Use of GET Request Method With Sensitive Query Strings)

The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request.

Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Client-Side Enforcement of Server-Side Security - (602)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1441 (OWASP Top Ten 2025 Category A06:2025 - Insecure Design) > 602 (Client-Side Enforcement of Server-Side Security)

The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Function Call with Incorrectly Specified Arguments - (628)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1441 (OWASP Top Ten 2025 Category A06:2025 - Insecure Design) > 628 (Function Call with Incorrectly Specified Arguments)

The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1441 (OWASP Top Ten 2025 Category A06:2025 - Insecure Design) > 642 (External Control of Critical State Data)

The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors.

Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Reliance on File Name or Extension of Externally-Supplied File - (646)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1441 (OWASP Top Ten 2025 Category A06:2025 - Insecure Design) > 646 (Reliance on File Name or Extension of Externally-Supplied File)

The product allows a file to be uploaded, but it relies on the file name or extension of the file to determine the appropriate behaviors. This could be used by attackers to cause the file to be misclassified and processed in a dangerous fashion.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1441 (OWASP Top Ten 2025 Category A06:2025 - Insecure Design) > 653 (Improper Isolation or Compartmentalization)

The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions. Separation of Privilege

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1441 (OWASP Top Ten 2025 Category A06:2025 - Insecure Design) > 656 (Reliance on Security Through Obscurity)

The product uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the mechanism. Never Assuming your secrets are safe

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1441 (OWASP Top Ten 2025 Category A06:2025 - Insecure Design) > 657 (Violation of Secure Design Principles)

The product violates well-established principles for secure design.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1441 (OWASP Top Ten 2025 Category A06:2025 - Insecure Design) > 676 (Use of Potentially Dangerous Function)

The product invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1441 (OWASP Top Ten 2025 Category A06:2025 - Insecure Design) > 693 (Protection Mechanism Failure)

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1441 (OWASP Top Ten 2025 Category A06:2025 - Insecure Design) > 73 (External Control of File Name or Path)

The product allows user input to control or influence paths or file names that are used in filesystem operations.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1441 (OWASP Top Ten 2025 Category A06:2025 - Insecure Design) > 799 (Improper Control of Interaction Frequency)

The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests. Insufficient anti-automation Brute force

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Reliance on Untrusted Inputs in a Security Decision - (807)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1441 (OWASP Top Ten 2025 Category A06:2025 - Insecure Design) > 807 (Reliance on Untrusted Inputs in a Security Decision)

The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.

Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Improper Enforcement of Behavioral Workflow - (841)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1441 (OWASP Top Ten 2025 Category A06:2025 - Insecure Design) > 841 (Improper Enforcement of Behavioral Workflow)

The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence.

Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2025 Category A07:2025 - Authentication Failures - (1442)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1442 (OWASP Top Ten 2025 Category A07:2025 - Authentication Failures)

Weaknesses in this category are related to the A07 category "Authentication Failures" in the OWASP Top Ten 2025.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1442 (OWASP Top Ten 2025 Category A07:2025 - Authentication Failures) > 1390 (Weak Authentication)

The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1442 (OWASP Top Ten 2025 Category A07:2025 - Authentication Failures) > 1391 (Use of Weak Credentials)

The product uses weak credentials (such as a default key or hard-coded password) that can be calculated, derived, reused, or guessed by an attacker.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1442 (OWASP Top Ten 2025 Category A07:2025 - Authentication Failures) > 1392 (Use of Default Credentials)

The product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1442 (OWASP Top Ten 2025 Category A07:2025 - Authentication Failures) > 1393 (Use of Default Password)

The product uses default passwords for potentially critical functionality.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1442 (OWASP Top Ten 2025 Category A07:2025 - Authentication Failures) > 258 (Empty Password in Configuration File)

Using an empty string as a password is insecure.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1442 (OWASP Top Ten 2025 Category A07:2025 - Authentication Failures) > 259 (Use of Hard-coded Password)

The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1442 (OWASP Top Ten 2025 Category A07:2025 - Authentication Failures) > 287 (Improper Authentication)

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. authentification AuthN AuthC

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Authentication Bypass Using an Alternate Path or Channel - (288)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1442 (OWASP Top Ten 2025 Category A07:2025 - Authentication Failures) > 288 (Authentication Bypass Using an Alternate Path or Channel)

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1442 (OWASP Top Ten 2025 Category A07:2025 - Authentication Failures) > 289 (Authentication Bypass by Alternate Name)

The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1442 (OWASP Top Ten 2025 Category A07:2025 - Authentication Failures) > 290 (Authentication Bypass by Spoofing)

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1442 (OWASP Top Ten 2025 Category A07:2025 - Authentication Failures) > 291 (Reliance on IP Address for Authentication)

The product uses an IP address for authentication.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1442 (OWASP Top Ten 2025 Category A07:2025 - Authentication Failures) > 293 (Using Referer Field for Authentication)

The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking. referrer

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1442 (OWASP Top Ten 2025 Category A07:2025 - Authentication Failures) > 294 (Authentication Bypass by Capture-replay)

A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1442 (OWASP Top Ten 2025 Category A07:2025 - Authentication Failures) > 295 (Improper Certificate Validation)

The product does not validate, or incorrectly validates, a certificate.

Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Improper Validation of Certificate with Host Mismatch - (297)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1442 (OWASP Top Ten 2025 Category A07:2025 - Authentication Failures) > 297 (Improper Validation of Certificate with Host Mismatch)

The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.

Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Improper Validation of Certificate Expiration - (298)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1442 (OWASP Top Ten 2025 Category A07:2025 - Authentication Failures) > 298 (Improper Validation of Certificate Expiration)

A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1442 (OWASP Top Ten 2025 Category A07:2025 - Authentication Failures) > 299 (Improper Check for Certificate Revocation)

The product does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1442 (OWASP Top Ten 2025 Category A07:2025 - Authentication Failures) > 300 (Channel Accessible by Non-Endpoint)

The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint. Adversary-in-the-Middle / AITM Attacker-in-the-Middle / AITM Man-in-the-Middle / MITM Person-in-the-Middle / PITM Monkey-in-the-Middle Monster-in-the-Middle Manipulator-in-the-Middle On-path attack Interception attack

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Authentication Bypass by Assumed-Immutable Data - (302)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1442 (OWASP Top Ten 2025 Category A07:2025 - Authentication Failures) > 302 (Authentication Bypass by Assumed-Immutable Data)

The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Incorrect Implementation of Authentication Algorithm - (303)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1442 (OWASP Top Ten 2025 Category A07:2025 - Authentication Failures) > 303 (Incorrect Implementation of Authentication Algorithm)

The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1442 (OWASP Top Ten 2025 Category A07:2025 - Authentication Failures) > 304 (Missing Critical Step in Authentication)

The product implements an authentication technique, but it skips a step that weakens the technique.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1442 (OWASP Top Ten 2025 Category A07:2025 - Authentication Failures) > 305 (Authentication Bypass by Primary Weakness)

The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Missing Authentication for Critical Function - (306)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1442 (OWASP Top Ten 2025 Category A07:2025 - Authentication Failures) > 306 (Missing Authentication for Critical Function)

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Restriction of Excessive Authentication Attempts - (307)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1442 (OWASP Top Ten 2025 Category A07:2025 - Authentication Failures) > 307 (Improper Restriction of Excessive Authentication Attempts)

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1442 (OWASP Top Ten 2025 Category A07:2025 - Authentication Failures) > 308 (Use of Single-factor Authentication)

The product uses an authentication algorithm that uses a single factor (e.g., a password) in a security context that should require more than one factor.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Use of Password System for Primary Authentication - (309)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1442 (OWASP Top Ten 2025 Category A07:2025 - Authentication Failures) > 309 (Use of Password System for Primary Authentication)

The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1442 (OWASP Top Ten 2025 Category A07:2025 - Authentication Failures) > 346 (Origin Validation Error)

The product does not properly verify that the source of data or communication is valid.

Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Reliance on Reverse DNS Resolution for a Security-Critical Action - (350)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1442 (OWASP Top Ten 2025 Category A07:2025 - Authentication Failures) > 350 (Reliance on Reverse DNS Resolution for a Security-Critical Action)

The product performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1442 (OWASP Top Ten 2025 Category A07:2025 - Authentication Failures) > 384 (Session Fixation)

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1442 (OWASP Top Ten 2025 Category A07:2025 - Authentication Failures) > 521 (Weak Password Requirements)

The product does not require that users should have strong passwords.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1442 (OWASP Top Ten 2025 Category A07:2025 - Authentication Failures) > 613 (Insufficient Session Expiration)

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1442 (OWASP Top Ten 2025 Category A07:2025 - Authentication Failures) > 620 (Unverified Password Change)

When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Weak Password Recovery Mechanism for Forgotten Password - (640)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1442 (OWASP Top Ten 2025 Category A07:2025 - Authentication Failures) > 640 (Weak Password Recovery Mechanism for Forgotten Password)

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1442 (OWASP Top Ten 2025 Category A07:2025 - Authentication Failures) > 798 (Use of Hard-coded Credentials)

The product contains hard-coded credentials, such as a password or cryptographic key.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Verification of Source of a Communication Channel - (940)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1442 (OWASP Top Ten 2025 Category A07:2025 - Authentication Failures) > 940 (Improper Verification of Source of a Communication Channel)

The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Incorrectly Specified Destination in a Communication Channel - (941)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1442 (OWASP Top Ten 2025 Category A07:2025 - Authentication Failures) > 941 (Incorrectly Specified Destination in a Communication Channel)

The product creates a communication channel to initiate an outgoing request to an actor, but it does not correctly specify the intended destination for that actor.

Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2025 Category A08:2025 - Software or Data Integrity Failures - (1443)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1443 (OWASP Top Ten 2025 Category A08:2025 - Software or Data Integrity Failures)

Weaknesses in this category are related to the A08 category "Software or Data Integrity Failures" in the OWASP Top Ten 2025.

Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Insufficient Verification of Data Authenticity - (345)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1443 (OWASP Top Ten 2025 Category A08:2025 - Software or Data Integrity Failures) > 345 (Insufficient Verification of Data Authenticity)

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1443 (OWASP Top Ten 2025 Category A08:2025 - Software or Data Integrity Failures) > 353 (Missing Support for Integrity Check)

The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1443 (OWASP Top Ten 2025 Category A08:2025 - Software or Data Integrity Failures) > 426 (Untrusted Search Path)

The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control. Untrusted Path

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1443 (OWASP Top Ten 2025 Category A08:2025 - Software or Data Integrity Failures) > 427 (Uncontrolled Search Path Element)

The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors. DLL preloading Binary planting Insecure library loading Dependency confusion

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1443 (OWASP Top Ten 2025 Category A08:2025 - Software or Data Integrity Failures) > 494 (Download of Code Without Integrity Check)

The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1443 (OWASP Top Ten 2025 Category A08:2025 - Software or Data Integrity Failures) > 502 (Deserialization of Untrusted Data)

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. Marshaling, Unmarshaling Pickling, Unpickling PHP Object Injection

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1443 (OWASP Top Ten 2025 Category A08:2025 - Software or Data Integrity Failures) > 506 (Embedded Malicious Code)

The product contains code that appears to be malicious in nature.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1443 (OWASP Top Ten 2025 Category A08:2025 - Software or Data Integrity Failures) > 509 (Replicating Malicious Code (Virus or Worm))

Replicating malicious code, including viruses and worms, will attempt to attack other systems once it has successfully compromised the target system or the product.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Reliance on Cookies without Validation and Integrity Checking - (565)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1443 (OWASP Top Ten 2025 Category A08:2025 - Software or Data Integrity Failures) > 565 (Reliance on Cookies without Validation and Integrity Checking)

The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.

Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Reliance on Cookies without Validation and Integrity Checking in a Security Decision - (784)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1443 (OWASP Top Ten 2025 Category A08:2025 - Software or Data Integrity Failures) > 784 (Reliance on Cookies without Validation and Integrity Checking in a Security Decision)

The product uses a protection mechanism that relies on the existence or values of a cookie, but it does not properly ensure that the cookie is valid for the associated user.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Inclusion of Functionality from Untrusted Control Sphere - (829)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1443 (OWASP Top Ten 2025 Category A08:2025 - Software or Data Integrity Failures) > 829 (Inclusion of Functionality from Untrusted Control Sphere)

The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Inclusion of Web Functionality from an Untrusted Source - (830)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1443 (OWASP Top Ten 2025 Category A08:2025 - Software or Data Integrity Failures) > 830 (Inclusion of Web Functionality from an Untrusted Source)

The product includes web functionality (such as a web widget) from another domain, which causes it to operate within the domain of the product, potentially granting total access and control of the product to the untrusted source.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improperly Controlled Modification of Dynamically-Determined Object Attributes - (915)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1443 (OWASP Top Ten 2025 Category A08:2025 - Software or Data Integrity Failures) > 915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes)

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. Mass Assignment AutoBinding PHP Object Injection

Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Improper Export of Android Application Components - (926)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1443 (OWASP Top Ten 2025 Category A08:2025 - Software or Data Integrity Failures) > 926 (Improper Export of Android Application Components)

The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains.

Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2025 Category A09:2025 - Logging & Alerting Failures - (1444)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1444 (OWASP Top Ten 2025 Category A09:2025 - Logging & Alerting Failures)

Weaknesses in this category are related to the A09 category "Logging & Alerting Failures" in the OWASP Top Ten 2025.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1444 (OWASP Top Ten 2025 Category A09:2025 - Logging & Alerting Failures) > 117 (Improper Output Neutralization for Logs)

The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file. Log forging

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1444 (OWASP Top Ten 2025 Category A09:2025 - Logging & Alerting Failures) > 221 (Information Loss or Omission)

The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1444 (OWASP Top Ten 2025 Category A09:2025 - Logging & Alerting Failures) > 223 (Omission of Security-relevant Information)

The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1444 (OWASP Top Ten 2025 Category A09:2025 - Logging & Alerting Failures) > 532 (Insertion of Sensitive Information into Log File)

The product writes sensitive information to a log file.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1444 (OWASP Top Ten 2025 Category A09:2025 - Logging & Alerting Failures) > 778 (Insufficient Logging)

When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.

Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2025 Category A10:2025 - Mishandling of Exceptional Conditions - (1445)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1445 (OWASP Top Ten 2025 Category A10:2025 - Mishandling of Exceptional Conditions)

Weaknesses in this category are related to the A10 category "Mishandling of Exceptional Conditions" in the OWASP Top Ten 2025.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Generation of Error Message Containing Sensitive Information - (209)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1445 (OWASP Top Ten 2025 Category A10:2025 - Mishandling of Exceptional Conditions) > 209 (Generation of Error Message Containing Sensitive Information)

The product generates an error message that includes sensitive information about its environment, users, or associated data.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1445 (OWASP Top Ten 2025 Category A10:2025 - Mishandling of Exceptional Conditions) > 215 (Insertion of Sensitive Information Into Debugging Code)

The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1445 (OWASP Top Ten 2025 Category A10:2025 - Mishandling of Exceptional Conditions) > 234 (Failure to Handle Missing Parameter)

If too few arguments are sent to a function, the function will still pop the expected number of arguments from the stack. Potentially, a variable number of arguments could be exhausted in a function as well.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1445 (OWASP Top Ten 2025 Category A10:2025 - Mishandling of Exceptional Conditions) > 235 (Improper Handling of Extra Parameters)

The product does not handle or incorrectly handles when the number of parameters, fields, or arguments with the same name exceeds the expected amount.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1445 (OWASP Top Ten 2025 Category A10:2025 - Mishandling of Exceptional Conditions) > 248 (Uncaught Exception)

An exception is thrown from a function, but it is not caught.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1445 (OWASP Top Ten 2025 Category A10:2025 - Mishandling of Exceptional Conditions) > 252 (Unchecked Return Value)

The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Handling of Insufficient Privileges - (274)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1445 (OWASP Top Ten 2025 Category A10:2025 - Mishandling of Exceptional Conditions) > 274 (Improper Handling of Insufficient Privileges)

The product does not handle or incorrectly handles when it has insufficient privileges to perform an operation, leading to resultant weaknesses.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Handling of Insufficient Permissions or Privileges - (280)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1445 (OWASP Top Ten 2025 Category A10:2025 - Mishandling of Exceptional Conditions) > 280 (Improper Handling of Insufficient Permissions or Privileges )

The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1445 (OWASP Top Ten 2025 Category A10:2025 - Mishandling of Exceptional Conditions) > 369 (Divide By Zero)

The product divides a value by zero.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Detection of Error Condition Without Action - (390)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1445 (OWASP Top Ten 2025 Category A10:2025 - Mishandling of Exceptional Conditions) > 390 (Detection of Error Condition Without Action)

The product detects a specific error, but takes no actions to handle the error.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1445 (OWASP Top Ten 2025 Category A10:2025 - Mishandling of Exceptional Conditions) > 391 (Unchecked Error Condition)

[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1445 (OWASP Top Ten 2025 Category A10:2025 - Mishandling of Exceptional Conditions) > 394 (Unexpected Status Code or Return Value)

The product does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the product.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1445 (OWASP Top Ten 2025 Category A10:2025 - Mishandling of Exceptional Conditions) > 396 (Declaration of Catch for Generic Exception)

Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Declaration of Throws for Generic Exception - (397)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1445 (OWASP Top Ten 2025 Category A10:2025 - Mishandling of Exceptional Conditions) > 397 (Declaration of Throws for Generic Exception)

The product throws or raises an overly broad exceptions that can hide important details and produce inappropriate responses to certain conditions.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1445 (OWASP Top Ten 2025 Category A10:2025 - Mishandling of Exceptional Conditions) > 460 (Improper Cleanup on Thrown Exception)

The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1445 (OWASP Top Ten 2025 Category A10:2025 - Mishandling of Exceptional Conditions) > 476 (NULL Pointer Dereference)

The product dereferences a pointer that it expects to be valid but is NULL. NPD null deref NPE nil pointer dereference

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Missing Default Case in Multiple Condition Expression - (478)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1445 (OWASP Top Ten 2025 Category A10:2025 - Mishandling of Exceptional Conditions) > 478 (Missing Default Case in Multiple Condition Expression)

The code does not have a default case in an expression with multiple conditions, such as a switch statement.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1445 (OWASP Top Ten 2025 Category A10:2025 - Mishandling of Exceptional Conditions) > 484 (Omitted Break Statement in Switch)

The product omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the programmer only intended to execute code associated with one condition.

Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Server-generated Error Message Containing Sensitive Information - (550)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1445 (OWASP Top Ten 2025 Category A10:2025 - Mishandling of Exceptional Conditions) > 550 (Server-generated Error Message Containing Sensitive Information)

Certain conditions, such as network failure, will cause a server error message to be displayed.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1445 (OWASP Top Ten 2025 Category A10:2025 - Mishandling of Exceptional Conditions) > 636 (Not Failing Securely ('Failing Open'))

When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions. Failing Open

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1445 (OWASP Top Ten 2025 Category A10:2025 - Mishandling of Exceptional Conditions) > 703 (Improper Check or Handling of Exceptional Conditions)

The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.

Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Improper Check for Unusual or Exceptional Conditions - (754)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1445 (OWASP Top Ten 2025 Category A10:2025 - Mishandling of Exceptional Conditions) > 754 (Improper Check for Unusual or Exceptional Conditions)

The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Improper Handling of Exceptional Conditions - (755)

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1445 (OWASP Top Ten 2025 Category A10:2025 - Mishandling of Exceptional Conditions) > 755 (Improper Handling of Exceptional Conditions)

The product does not handle or incorrectly handles an exceptional condition.

1450 (Weaknesses in OWASP Top Ten RC1 (2025)) > 1445 (OWASP Top Ten 2025 Category A10:2025 - Mishandling of Exceptional Conditions) > 756 (Missing Custom Error Page)

The product does not return custom error pages to the user, possibly exposing sensitive information.

Vulnerability Mapping Notes

Usage: PROHIBITED

(this CWE ID must not be used to map to real-world vulnerabilities)

Reason: View

Rationale:

This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities.

Comments:

Use this View or other Views to search and navigate for the appropriate weakness.

Notes

Maintenance

As of CWE 4.19, the relationships in this view were pulled directly from the CWE mappings cited in the 2025 OWASP Top Ten RC1. These mappings include categories and high-level weaknesses. One mapping to a deprecated entry was removed. The CWE Program will work with OWASP to improve these mappings, possibly requiring modifications to CWE itself.

References

[REF-1500] "OWASP Top 10:2025 RC1". OWASP. 2025-11-06. <https://owasp.org/Top10/2025/0x00_2025-Introduction/>. URL validated: 2025-12-01.

View Metrics

	CWEs in this view		Total CWEs
Weaknesses	246	out of	944
Categories	13	out of	385
Views	0	out of	54
Total	259	out of	1383

Content History

Submissions
Submission Date	Submitter	Organization
2024-12-01 (CWE 4.19, 2025-12-11)	CWE Content Team	MITRE
2024-12-01 (CWE 4.19, 2025-12-11)

Weakness ID: 362

Vulnerability Mapping: ALLOWED This CWE ID could be used to map to real-world vulnerabilities in limited situations requiring careful review (with careful review of mapping notes)
Abstraction: Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.

View customized information:

For users who are interested in more notional aspects of a weakness. Example: educators, technical writers, and project/program managers. For users who are concerned with the practical application and details about the nature of a weakness and how to prevent it from happening. Example: tool developers, security researchers, pen-testers, incident response analysts. For users who are mapping an issue to CWE/CAPEC IDs, i.e., finding the most appropriate CWE for a specific issue (e.g., a CVE record). Example: tool developers, security researchers. For users who wish to see all available information for the CWE/CAPEC entry. For users who want to customize what details are displayed.

Description

Extended Description

A race condition occurs within concurrent environments, and it is effectively a property of a code sequence. Depending on the context, a code sequence may be in the form of a function call, a small number of instructions, a series of program invocations, etc.

A race condition violates these properties, which are closely related:

Exclusivity - the code sequence is given exclusive access to the shared resource, i.e., no other code sequence can modify properties of the shared resource before the original sequence has completed execution.
Atomicity - the code sequence is behaviorally atomic, i.e., no other thread or process can concurrently execute the same sequence of instructions (or a subset) against the same resource.

A race condition exists when an "interfering code sequence" can still access the shared resource, violating exclusivity.

The interfering code sequence could be "trusted" or "untrusted." A trusted interfering code sequence occurs within the product; it cannot be modified by the attacker, and it can only be invoked indirectly. An untrusted interfering code sequence can be authored directly by the attacker, and typically it is external to the vulnerable product.

Alternate Terms

Race Condition

Common Consequences

This table specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.

Impact	Details
DoS: Resource Consumption (CPU); DoS: Resource Consumption (Memory); DoS: Resource Consumption (Other)	Scope: Availability When a race condition makes it possible to bypass a resource cleanup routine or trigger multiple initialization routines, it may lead to resource exhaustion.
DoS: Crash, Exit, or Restart; DoS: Instability	Scope: Availability When a race condition allows multiple control flows to access a resource simultaneously, it might lead the product(s) into unexpected states, possibly resulting in a crash.
Read Files or Directories; Read Application Data	Scope: Confidentiality, Integrity When a race condition is combined with predictable resource names and loose permissions, it may be possible for an attacker to overwrite or access confidential data (CWE-59).
Execute Unauthorized Code or Commands; Gain Privileges or Assume Identity; Bypass Protection Mechanism	Scope: Access Control This can have security implications when the expected synchronization is in security-critical code, such as recording whether a user is authenticated or modifying important state information that should not be influenced by an outsider.

Potential Mitigations

Phase(s)	Mitigation
Architecture and Design	In languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the impact on performance.
Architecture and Design	Use thread-safe capabilities such as the data access abstraction in Spring.
Architecture and Design	Minimize the usage of shared resources in order to remove as much complexity as possible from the control flow and to reduce the likelihood of unexpected conditions occurring. Additionally, this will minimize the amount of synchronization necessary and may even help to reduce the likelihood of a denial of service where an attacker may be able to repeatedly trigger a critical section (CWE-400).
Implementation	When using multithreading and operating on shared variables, only use thread-safe functions.
Implementation	Use atomic operations on shared variables. Be wary of innocent-looking constructs such as "x++". This may appear atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read, followed by a computation, followed by a write.
Implementation	Use a mutex if available, but be sure to avoid related weaknesses such as CWE-412.
Implementation	Avoid double-checked locking (CWE-609) and other implementation errors that arise when trying to avoid the overhead of synchronization.
Implementation	Disable interrupts or signals over critical parts of the code, but also make sure that the code does not go into a large or infinite loop.
Implementation	Use the volatile type modifier for critical variables to avoid unexpected compiler optimization or reordering. This does not necessarily solve the synchronization problem, but it can help.
Architecture and Design; Operation	Strategy: Environment Hardening Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

Relationships

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.

Relevant to the view "Research Concepts" (View-1000)

Nature	Type	ID	Name
ChildOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	662	Improper Synchronization
ParentOf	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	364	Signal Handler Race Condition
ParentOf	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	366	Race Condition within a Thread
ParentOf	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	367	Time-of-check Time-of-use (TOCTOU) Race Condition
ParentOf	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	368	Context Switching Race Condition
ParentOf	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	421	Race Condition During Access to Alternate Channel
ParentOf	Composite - a Compound Element that consists of two or more distinct weaknesses, in which all weaknesses must be present at the same time in order for a potential vulnerability to arise. Removing any of the weaknesses eliminates or sharply reduces the risk. One weakness, X, can be "broken down" into component weaknesses Y and Z. There can be cases in which one weakness might not be essential to a composite, but changes the nature of the composite when it becomes a vulnerability.	689	Permission Race Condition During Resource Copy
ParentOf	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	1223	Race Condition for Write-Once Attributes
ParentOf	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	1298	Hardware Logic Contains Race Conditions
CanFollow	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	662	Improper Synchronization
CanPrecede	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	416	Use After Free
CanPrecede	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	476	NULL Pointer Dereference

Relevant to the view "Weaknesses for Simplified Mapping of Published Vulnerabilities" (View-1003)

Nature	Type	ID	Name
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1003	Weaknesses for Simplified Mapping of Published Vulnerabilities
ParentOf	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	367	Time-of-check Time-of-use (TOCTOU) Race Condition

Modes Of Introduction

The different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase.

Phase

Note

Architecture and Design

Implementation

Programmers may assume that certain code sequences execute too quickly to be affected by an interfering code sequence; when they are not, this violates atomicity. For example, the single "x++" statement may appear atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read (the original value of x), followed by a computation (x+1), followed by a write (save the result to x).

Applicable Platforms

This listing shows possible areas for which the given weakness could appear. These may be for specific named Languages, Operating Systems, Architectures, Paradigms, Technologies, or a class of such platforms. The platform is listed along with how frequently the given weakness appears for that instance.

Languages	C (Sometimes Prevalent) C++ (Sometimes Prevalent) Java (Sometimes Prevalent)
Technologies	Class: Mobile (Undetermined Prevalence) Class: ICS/OT (Undetermined Prevalence)

Likelihood Of Exploit

Medium

Demonstrative Examples

Example 1

This code could be used in an e-commerce application that supports transfers between accounts. It takes the total amount of the transfer, sends it to the new account, and deducts the amount from the original account.

(bad code)

Example Language: Perl

$transfer_amount = GetTransferAmount();
$balance = GetBalanceFromDatabase();

if ($transfer_amount < 0) {

FatalError("Bad Transfer Amount");

}
$newbalance = $balance - $transfer_amount;
if (($balance - $transfer_amount) < 0) {

FatalError("Insufficient Funds");

}
SendNewBalanceToDatabase($newbalance);
NotifyUser("Transfer of $transfer_amount succeeded.");
NotifyUser("New balance: $newbalance");

A race condition could occur between the calls to GetBalanceFromDatabase() and SendNewBalanceToDatabase().

Suppose the balance is initially 100.00. An attack could be constructed as follows:

(attack code)

Example Language: Other

In the following pseudocode, the attacker makes two simultaneous calls of the program, CALLER-1 and CALLER-2. Both callers are for the same user account.
CALLER-1 (the attacker) is associated with PROGRAM-1 (the instance that handles CALLER-1). CALLER-2 is associated with PROGRAM-2.
CALLER-1 makes a transfer request of 80.00.
PROGRAM-1 calls GetBalanceFromDatabase and sets $balance to 100.00
PROGRAM-1 calculates $newbalance as 20.00, then calls SendNewBalanceToDatabase().
Due to high server load, the PROGRAM-1 call to SendNewBalanceToDatabase() encounters a delay.
CALLER-2 makes a transfer request of 1.00.
PROGRAM-2 calls GetBalanceFromDatabase() and sets $balance to 100.00. This happens because the previous PROGRAM-1 request was not processed yet.
PROGRAM-2 determines the new balance as 99.00.
After the initial delay, PROGRAM-1 commits its balance to the database, setting it to 20.00.
PROGRAM-2 sends a request to update the database, setting the balance to 99.00

At this stage, the attacker should have a balance of 19.00 (due to 81.00 worth of transfers), but the balance is 99.00, as recorded in the database.

To prevent this weakness, the programmer has several options, including using a lock to prevent multiple simultaneous requests to the web application, or using a synchronization mechanism that includes all the code between GetBalanceFromDatabase() and SendNewBalanceToDatabase().

Example 2

The following function attempts to acquire a lock in order to perform operations on a shared resource.

(bad code)

Example Language: C

void f(pthread_mutex_t *mutex) {

pthread_mutex_lock(mutex);

/* access shared resource */

pthread_mutex_unlock(mutex);

}

However, the code does not check the value returned by pthread_mutex_lock() for errors. If pthread_mutex_lock() cannot acquire the mutex for any reason, the function may introduce a race condition into the program and result in undefined behavior.

In order to avoid data races, correctly written programs must check the result of thread synchronization functions and appropriately handle all errors, either by attempting to recover from them or reporting them to higher levels.

(good code)

Example Language: C

int f(pthread_mutex_t *mutex) {

int result;

result = pthread_mutex_lock(mutex);
if (0 != result)

return result;

/* access shared resource */

return pthread_mutex_unlock(mutex);

}

Example 3

Suppose a processor's Memory Management Unit (MMU) has 5 other shadow MMUs to distribute its workload for its various cores. Each MMU has the start address and end address of "accessible" memory. Any time this accessible range changes (as per the processor's boot status), the main MMU sends an update message to all the shadow MMUs.

Suppose the interconnect fabric does not prioritize such "update" packets over other general traffic packets. This introduces a race condition. If an attacker can flood the target with enough messages so that some of those attack packets reach the target before the new access ranges gets updated, then the attacker can leverage this scenario.

Selected Observed Examples

Note: this is a curated list of examples for users to understand the variety of ways in which this weakness can be introduced. It is not a complete list of all CVEs that are related to this CWE entry.

Reference	Description
CVE-2022-29527	Go application for cloud management creates a world-writable sudoers file that allows local attackers to inject sudo rules and escalate privileges to root by winning a race condition.
CVE-2021-1782	Chain: improper locking (CWE-667) leads to race condition (CWE-362), as exploited in the wild per CISA KEV.
CVE-2021-0920	Chain: mobile platform race condition (CWE-362) leading to use-after-free (CWE-416), as exploited in the wild per CISA KEV.
CVE-2020-6819	Chain: race condition (CWE-362) leads to use-after-free (CWE-416), as exploited in the wild per CISA KEV.
CVE-2019-18827	chain: JTAG interface is not disabled (CWE-1191) during ROM code execution, introducing a race condition (CWE-362) to extract encryption keys
CVE-2019-1161	Chain: race condition (CWE-362) in anti-malware product allows deletion of files by creating a junction (CWE-1386) and using hard links during the time window in which a temporary file is created and deleted.
CVE-2015-1743	TOCTOU in sandbox process allows installation of untrusted browser add-ons by replacing a file after it has been verified, but before it is executed
CVE-2014-8273	Chain: chipset has a race condition (CWE-362) between when an interrupt handler detects an attempt to write-enable the BIOS (in violation of the lock bit), and when the handler resets the write-enable bit back to 0, allowing attackers to issue BIOS writes during the timing window [REF-1237].
CVE-2008-5044	Race condition leading to a crash by calling a hook removal procedure while other activities are occurring at the same time.
CVE-2008-2958	chain: time-of-check time-of-use (TOCTOU) race condition in program allows bypass of protection mechanism that was designed to prevent symlink attacks.
CVE-2008-1570	chain: time-of-check time-of-use (TOCTOU) race condition in program allows bypass of protection mechanism that was designed to prevent symlink attacks.
CVE-2008-0058	Unsynchronized caching operation enables a race condition that causes messages to be sent to a deallocated object.
CVE-2008-0379	Race condition during initialization triggers a buffer overflow.
CVE-2007-6599	Daemon crash by quickly performing operations and undoing them, which eventually leads to an operation that does not acquire a lock.
CVE-2007-6180	chain: race condition triggers NULL pointer dereference
CVE-2007-5794	Race condition in library function could cause data to be sent to the wrong process.
CVE-2007-3970	Race condition in file parser leads to heap corruption.
CVE-2008-5021	chain: race condition allows attacker to access an object while it is still being initialized, causing software to access uninitialized memory.
CVE-2009-4895	chain: race condition for an argument value, possibly resulting in NULL dereference
CVE-2009-3547	Chain: race condition (CWE-362) might allow resource to be released before operating on it, leading to NULL dereference (CWE-476)
CVE-2006-5051	Chain: Signal handler contains too much functionality (CWE-828), introducing a race condition (CWE-362) that leads to a double free (CWE-415).

Weakness Ordinalities

Ordinality	Description
Primary	(where the weakness exists independent of other weaknesses)
Resultant	(where the weakness is typically related to the presence of some other weaknesses)

Detection Methods

Method	Details
Black Box	Black box methods may be able to identify evidence of race conditions via methods such as multiple simultaneous connections, which may cause the software to become instable or crash. However, race conditions with very narrow timing windows would not be detectable.
White Box	Common idioms are detectable in white box analysis, such as time-of-check-time-of-use (TOCTOU) file operations (CWE-367), or double-checked locking (CWE-609).
Automated Dynamic Analysis	This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Race conditions may be detected with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior. Insert breakpoints or delays in between relevant code statements to artificially expand the race window so that it will be easier to detect. Effectiveness: Moderate
Automated Static Analysis - Binary or Bytecode	According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Cost effective for partial coverage: Binary Weakness Analysis - including disassembler + source code weakness analysis Effectiveness: High
Dynamic Analysis with Automated Results Interpretation	According to SOAR [REF-1479], the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners Effectiveness: SOAR Partial
Dynamic Analysis with Manual Results Interpretation	According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Framework-based Fuzzer Cost effective for partial coverage: Fuzz Tester Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious Effectiveness: High
Manual Static Analysis - Source Code	According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Effectiveness: High
Automated Static Analysis - Source Code	According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Effectiveness: High
Architecture or Design Review	According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Effectiveness: High

Affected Resources

File or Directory

Memberships

This MemberOf Relationships table shows additional CWE Categories and Views that reference this weakness as a member. This information is often useful in understanding where a weakness fits within the context of external information sources.

Nature	Type	ID	Name
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	635	Weaknesses Originally Used by NVD from 2008 to 2016
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	743	CERT C Secure Coding Standard (2008) Chapter 10 - Input Output (FIO)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	751	2009 Top 25 - Insecure Interaction Between Components
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	801	2010 Top 25 - Insecure Interaction Between Components
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	852	The CERT Oracle Secure Coding Standard for Java (2011) Chapter 9 - Visibility and Atomicity (VNA)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	867	2011 Top 25 - Weaknesses On the Cusp
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	877	CERT C++ Secure Coding Section 09 - Input Output (FIO)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	882	CERT C++ Secure Coding Section 14 - Concurrency (CON)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	988	SFP Secondary Cluster: Race Condition Window
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1142	SEI CERT Oracle Secure Coding Standard for Java - Guidelines 08. Visibility and Atomicity (VNA)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1364	ICS Communications: Zone Boundary Failures
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1365	ICS Communications: Unreliability
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1366	ICS Communications: Frail Security in Protocols
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1376	ICS Engineering (Construction/Deployment): Security Gaps in Commissioning
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1387	Weaknesses in the 2022 CWE Top 25 Most Dangerous Software Weaknesses
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1401	Comprehensive Categorization: Concurrency
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1425	Weaknesses in the 2023 CWE Top 25 Most Dangerous Software Weaknesses
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1441	OWASP Top Ten 2025 Category A06:2025 - Insecure Design

Vulnerability Mapping Notes

Usage	ALLOWED-WITH-REVIEW (this CWE ID could be used to map to real-world vulnerabilities in limited situations requiring careful review)
Reason	Abstraction
Rationale	This CWE entry is a Class and might have Base-level children that would be more appropriate
Comments	Examine children of this entry to see if there is a better fit

Notes

Research Gap

Race conditions in web applications are under-studied and probably under-reported. However, in 2008 there has been growing interest in this area.

Research Gap

Much of the focus of race condition research has been in Time-of-check Time-of-use (TOCTOU) variants (CWE-367), but many race conditions are related to synchronization problems that do not necessarily require a time-of-check.

Research Gap

From a classification/taxonomy perspective, the relationships between concurrency and program state need closer investigation and may be useful in organizing related issues.

Maintenance

The relationship between race conditions and synchronization problems (CWE-662) needs to be further developed. They are not necessarily two perspectives of the same core concept, since synchronization is only one technique for avoiding race conditions, and synchronization can be used for other purposes besides race condition prevention.

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
PLOVER			Race Conditions
The CERT Oracle Secure Coding Standard for Java (2011)	VNA03-J		Do not assume that a group of calls to independently atomic methods is atomic

Related Attack Patterns

CAPEC-ID	Attack Pattern Name
CAPEC-26	Leveraging Race Conditions
CAPEC-29	Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions

References

[REF-44]	Michael Howard, David LeBlanc and John Viega. "24 Deadly Sins of Software Security". "Sin 13: Race Conditions." Page 205. McGraw-Hill. 2010.
[REF-349]	Andrei Alexandrescu. "volatile - Multithreaded Programmer's Best Friend". Dr. Dobb's. 2008-02-01. <https://drdobbs.com/cpp/volatile-the-multithreaded-programmers-b/184403766>. (URL validated: 2023-04-07)
[REF-350]	Steven Devijver. "Thread-safe webapps using Spring". <https://web.archive.org/web/20170609174845/http://www.javalobby.org/articles/thread-safe/index.jsp>. (URL validated: 2023-04-07)
[REF-351]	David Wheeler. "Prevent race conditions". 2007-10-04. <https://www.ida.liu.se/~TDDC90/literature/papers/SP-race-conditions.pdf>. (URL validated: 2023-04-07)
[REF-352]	Matt Bishop. "Race Conditions, Files, and Security Flaws; or the Tortoise and the Hare Redux". 1995-09. <https://seclab.cs.ucdavis.edu/projects/vulnerabilities/scriv/ucd-ecs-95-08.pdf>. (URL validated: 2023-04-07)
[REF-353]	David Wheeler. "Secure Programming for Linux and Unix HOWTO". 2003-03-03. <https://dwheeler.com/secure-programs/Secure-Programs-HOWTO/avoid-race.html>. (URL validated: 2023-04-07)
[REF-354]	Blake Watts. "Discovering and Exploiting Named Pipe Security Flaws for Fun and Profit". 2002-04. <https://www.blakewatts.com/blog/discovering-and-exploiting-named-pipe-security-flaws-for-fun-and-profit>. (URL validated: 2023-04-07)
[REF-355]	Roberto Paleari, Davide Marrone, Danilo Bruschi and Mattia Monga. "On Race Vulnerabilities in Web Applications". <http://security.dico.unimi.it/~roberto/pubs/dimva08-web.pdf>.
[REF-356]	"Avoiding Race Conditions and Insecure File Operations". Apple Developer Connection. <https://web.archive.org/web/20081010155022/http://developer.apple.com/documentation/Security/Conceptual/SecureCodingGuide/Articles/RaceConditions.html>. (URL validated: 2023-04-07)
[REF-357]	Johannes Ullrich. "Top 25 Series - Rank 25 - Race Conditions". SANS Software Security Institute. 2010-03-26. <https://web.archive.org/web/20100530231203/http://blogs.sans.org:80/appsecstreetfighter/2010/03/26/top-25-series-rank-25-race-conditions/>. (URL validated: 2023-04-07)
[REF-76]	Sean Barnum and Michael Gegick. "Least Privilege". 2005-09-14. <https://web.archive.org/web/20211209014121/https://www.cisa.gov/uscert/bsi/articles/knowledge/principles/least-privilege>. (URL validated: 2023-04-07)
[REF-1237]	CERT Coordination Center. "Intel BIOS locking mechanism contains race condition that enables write protection bypass". 2015-01-05. <https://www.kb.cert.org/vuls/id/766164/>.
[REF-1479]	Gregory Larsen, E. Kenneth Hong Fong, David A. Wheeler and Rama S. Moorthy. "State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation". 2014-07. <https://www.ida.org/-/media/feature/publications/s/st/stateoftheart-resources-soar-for-software-vulnerability-detection-test-and-evaluation/p-5061.ashx>. (URL validated: 2025-09-05)

Content History

Submissions
Submission Date	Submitter	Organization
2006-07-19 (CWE Draft 3, 2006-07-19)	PLOVER
2006-07-19 (CWE Draft 3, 2006-07-19)
Contributions
Contribution Date	Contributor	Organization
2010-04-30	Martin Sebor	Cisco Systems, Inc.
2010-04-30	Provided Demonstrative Example
2024-02-29 (CWE 4.16, 2024-11-19)	Abhi Balakrishnan
2024-02-29 (CWE 4.16, 2024-11-19)	Provided diagram to improve CWE usability
Modifications
Modification Date	Modifier	Organization
2025-12-11 (CWE 4.19, 2025-12-11)	CWE Content Team	MITRE
2025-12-11 (CWE 4.19, 2025-12-11)	updated Observed_Examples, Relationships, Weakness_Ordinalities
2025-09-09 (CWE 4.18, 2025-09-09)	CWE Content Team	MITRE
2025-09-09 (CWE 4.18, 2025-09-09)	updated Detection_Factors, References
2025-04-03 (CWE 4.17, 2025-04-03)	CWE Content Team	MITRE
2025-04-03 (CWE 4.17, 2025-04-03)	updated Affected_Resources
2024-11-19 (CWE 4.16, 2024-11-19)	CWE Content Team	MITRE
2024-11-19 (CWE 4.16, 2024-11-19)	updated Alternate_Terms, Common_Consequences, Description, Diagram, Modes_of_Introduction
2024-07-16 (CWE 4.15, 2024-07-16)	CWE Content Team	MITRE
2024-07-16 (CWE 4.15, 2024-07-16)	updated Relationships
2023-06-29	CWE Content Team	MITRE
2023-06-29	updated Mapping_Notes, Relationships
2023-04-27	CWE Content Team	MITRE
2023-04-27	updated References, Relationships
2023-01-31	CWE Content Team	MITRE
2023-01-31	updated Applicable_Platforms, Common_Consequences, Description
2022-10-13	CWE Content Team	MITRE
2022-10-13	updated Observed_Examples, References
2022-06-28	CWE Content Team	MITRE
2022-06-28	updated Observed_Examples, Relationships
2022-04-28	CWE Content Team	MITRE
2022-04-28	updated Observed_Examples, Relationships
2021-10-28	CWE Content Team	MITRE
2021-10-28	updated Observed_Examples, References
2021-03-15	CWE Content Team	MITRE
2021-03-15	updated Demonstrative_Examples
2020-08-20	CWE Content Team	MITRE
2020-08-20	updated Relationships
2020-02-24	CWE Content Team	MITRE
2020-02-24	updated Applicable_Platforms, Demonstrative_Examples, Observed_Examples, Relationships
2019-06-20	CWE Content Team	MITRE
2019-06-20	updated Relationships
2019-01-03	CWE Content Team	MITRE
2019-01-03	updated Relationships, Taxonomy_Mappings
2017-11-08	CWE Content Team	MITRE
2017-11-08	updated Demonstrative_Examples, References, Research_Gaps, Taxonomy_Mappings
2015-12-07	CWE Content Team	MITRE
2015-12-07	updated Relationships
2014-07-30	CWE Content Team	MITRE
2014-07-30	updated Detection_Factors, Relationships
2012-05-11	CWE Content Team	MITRE
2012-05-11	updated Potential_Mitigations, References, Relationships
2011-09-13	CWE Content Team	MITRE
2011-09-13	updated Relationships, Taxonomy_Mappings
2011-06-27	CWE Content Team	MITRE
2011-06-27	updated Relationships
2011-06-01	CWE Content Team	MITRE
2011-06-01	updated Common_Consequences, Relationships, Taxonomy_Mappings
2010-12-13	CWE Content Team	MITRE
2010-12-13	updated Applicable_Platforms, Demonstrative_Examples, Description, Name, Potential_Mitigations, Relationships
2010-09-27	CWE Content Team	MITRE
2010-09-27	updated Observed_Examples, Potential_Mitigations, Relationships
2010-06-21	CWE Content Team	MITRE
2010-06-21	updated Common_Consequences, Demonstrative_Examples, Detection_Factors, Potential_Mitigations, References
2010-02-16	CWE Content Team	MITRE
2010-02-16	updated Detection_Factors, References, Relationships
2009-05-27	CWE Content Team	MITRE
2009-05-27	updated Relationships
2009-03-10	CWE Content Team	MITRE
2009-03-10	updated Demonstrative_Examples, Potential_Mitigations
2009-01-12	CWE Content Team	MITRE
2009-01-12	updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Maintenance_Notes, Observed_Examples, Potential_Mitigations, References, Relationships, Research_Gaps
2008-11-24	CWE Content Team	MITRE
2008-11-24	updated Relationships, Taxonomy_Mappings
2008-10-14	CWE Content Team	MITRE
2008-10-14	updated Relationships
2008-09-08	CWE Content Team	MITRE
2008-09-08	updated Relationships, Taxonomy_Mappings
2008-07-01	Eric Dalci	Cigital
2008-07-01	updated Time_of_Introduction
Previous Entry Names
Change Date	Previous Entry Name
2008-04-11	Race Conditions
2010-12-13	Race Condition

Weakness ID: 352 (Structure: Composite) Composite - a Compound Element that consists of two or more distinct weaknesses, in which all weaknesses must be present at the same time in order for a potential vulnerability to arise. Removing any of the weaknesses eliminates or sharply reduces the risk. One weakness, X, can be "broken down" into component weaknesses Y and Z. There can be cases in which one weakness might not be essential to a composite, but changes the nature of the composite when it becomes a vulnerability.

Vulnerability Mapping: ALLOWED This CWE ID may be used to map to real-world vulnerabilities

View customized information:

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Alternate Terms

Session Riding
Cross Site Reference Forgery
XSRF
CSRF

Common Consequences

Impact

Details

Gain Privileges or Assume Identity; Bypass Protection Mechanism; Read Application Data; Modify Application Data; DoS: Crash, Exit, or Restart

Scope: Confidentiality, Integrity, Availability, Non-Repudiation, Access Control

The consequences will vary depending on the nature of the functionality that is vulnerable to CSRF. An attacker could trick a client into making an unintentional request to the web server via a URL, image load, XMLHttpRequest, etc., which would then be treated as an authentic request from the client - effectively performing any operations as the victim, leading to an exposure of data, unintended code execution, etc. If the victim is an administrator or privileged user, the consequences may include obtaining complete control over the web application - deleting or stealing data, uninstalling the product, or using it to launch other attacks against all of the product's users. Because the attacker has the identity of the victim, the scope of CSRF is limited only by the victim's privileges.

Potential Mitigations

Phase(s)	Mitigation
Architecture and Design	Strategy: Libraries or Frameworks Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. For example, use anti-CSRF packages such as the OWASP CSRFGuard. [REF-330] Another example is the ESAPI Session Management control, which includes a component for CSRF. [REF-45]
Implementation	Ensure that the application is free of cross-site scripting issues (CWE-79), because most CSRF defenses can be bypassed using attacker-controlled script.
Architecture and Design	Generate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable (CWE-330). [REF-332] Note: Note that this can be bypassed using XSS (CWE-79).
Architecture and Design	Identify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended to perform that operation. Note: Note that this can be bypassed using XSS (CWE-79).
Architecture and Design	Use the "double-submitted cookie" method as described by Felten and Zeller: When a user visits a site, the site should generate a pseudorandom value and set it as a cookie on the user's machine. The site should require every form submission to include this value as a form value and also as a cookie value. When a POST request is sent to the site, the request should only be considered valid if the form value and the cookie value are the same. Because of the same-origin policy, an attacker cannot read or modify the value stored in the cookie. To successfully submit a form on behalf of the user, the attacker would have to correctly guess the pseudorandom value. If the pseudorandom value is cryptographically strong, this will be prohibitively difficult. This technique requires Javascript, so it may not work for browsers that have Javascript disabled. [REF-331] Note: Note that this can probably be bypassed using XSS (CWE-79), or when using web technologies that enable the attacker to read raw headers from HTTP requests.
Architecture and Design	Do not use the GET method for any request that triggers a state change.
Implementation	Check the HTTP Referer header to see if the request originated from an expected page. This could break legitimate functionality, because users or proxies may have disabled sending the Referer for privacy reasons. Note: Note that this can be bypassed using XSS (CWE-79). An attacker could use XSS to generate a spoofed Referer, or to generate a malicious request from a page whose Referer would be allowed.

Composite Components

Nature	Type	ID	Name
Requires	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	346	Origin Validation Error
Requires	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	441	Unintended Proxy or Intermediary ('Confused Deputy')
Requires	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	613	Insufficient Session Expiration
Requires	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	642	External Control of Critical State Data

Relationships

Relevant to the view "Research Concepts" (View-1000)

Nature	Type	ID	Name
ChildOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	345	Insufficient Verification of Data Authenticity
PeerOf	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CanFollow	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	1275	Sensitive Cookie with Improper SameSite Attribute

Relevant to the view "Weaknesses for Simplified Mapping of Published Vulnerabilities" (View-1003)

Nature	Type	ID	Name
ChildOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	345	Insufficient Verification of Data Authenticity

Relevant to the view "Architectural Concepts" (View-1008)

Nature	Type	ID	Name
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1019	Validate Inputs

Modes Of Introduction

Phase	Note
Architecture and Design	REALIZATION: This weakness is caused during implementation of an architectural security tactic.

Applicable Platforms

Languages	Class: Not Language-Specific (Undetermined Prevalence)
Technologies	Class: Web Based (Undetermined Prevalence) Web Server (Undetermined Prevalence)

Likelihood Of Exploit

Medium

Demonstrative Examples

Example 1

This example PHP code attempts to secure the form submission process by validating that the user submitting the form has a valid session. A CSRF attack would not be prevented by this countermeasure because the attacker forges a request through the user's web browser in which a valid session already exists.

The following HTML is intended to allow a user to update a profile.

(bad code)

Example Language: HTML

profile.php contains the following code.

(bad code)

Example Language: PHP

// initiate the session in order to validate sessions

session_start();

//if the session is registered to a valid user then allow update

if (! session_is_registered("username")) {

echo "invalid session detected!";

// Redirect user to login page
[...]

exit;

}

// The user session is valid, so process the request

// and update the information

update_profile();

function update_profile {

// read in the data from $POST and send an update

// to the database
SendUpdateToDatabase($_SESSION['username'], $_POST['email']);
[...]
echo "Your profile has been successfully updated.";

}

This code may look protected since it checks for a valid session. However, CSRF attacks can be staged from virtually any tag or HTML construct, including image tags, links, embed or object tags, or other attributes that load background images.

The attacker can then host code that will silently change the username and email address of any user that visits the page while remaining logged in to the target web application. The code might be an innocent-looking web page such as:

(attack code)

Example Language: HTML

<SCRIPT>
function SendAttack () {

form.email = "attacker@example.com";
// send to profile.php
form.submit();

}
</SCRIPT>

<BODY onload="javascript:SendAttack();">

<form action="http://victim.example.com/profile.php" id="form" method="post">
<input type="hidden" name="firstname" value="Funny">
<input type="hidden" name="lastname" value="Joke">
<br/>
<input type="hidden" name="email">
</form>

Notice how the form contains hidden fields, so when it is loaded into the browser, the user will not notice it. Because SendAttack() is defined in the body's onload attribute, it will be automatically called when the victim loads the web page.

Assuming that the user is already logged in to victim.example.com, profile.php will see that a valid user session has been established, then update the email address to the attacker's own address. At this stage, the user's identity has been compromised, and messages sent through this profile could be sent to the attacker's address.

Selected Observed Examples

Reference	Description
CVE-2004-1703	Add user accounts via a URL in an img tag
CVE-2004-1995	Add user accounts via a URL in an img tag
CVE-2004-1967	Arbitrary code execution by specifying the code in a crafted img tag or URL
CVE-2004-1842	Gain administrative privileges via a URL in an img tag
CVE-2005-1947	Delete a victim's information via a URL or an img tag
CVE-2005-2059	Change another user's settings via a URL or an img tag
CVE-2005-1674	Perform actions as administrator via a URL or an img tag
CVE-2009-3520	modify password for the administrator
CVE-2009-3022	CMS allows modification of configuration via CSRF attack against the administrator
CVE-2009-3759	web interface allows password changes or stopping a virtual machine via CSRF

Weakness Ordinalities

Ordinality	Description
Primary	(where the weakness exists independent of other weaknesses)
Resultant	(where the weakness is typically related to the presence of some other weaknesses)

Detection Methods

Method	Details
Manual Analysis	This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual analysis can be useful for finding this weakness, and for minimizing false positives assuming an understanding of business logic. However, it might not achieve desired code coverage within limited time constraints. For black-box analysis, if credentials are not known for privileged accounts, then the most security-critical portions of the application may not receive sufficient attention. Consider using OWASP CSRFTester to identify potential issues and aid in manual analysis. Effectiveness: High Note:These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.
Automated Static Analysis	CSRF is currently difficult to detect reliably using automated techniques. This is because each application has its own implicit security policy that dictates which requests can be influenced by an outsider and automatically performed on behalf of a user, versus which requests require strong confidence that the user intends to make the request. For example, a keyword search of the public portion of a web site is typically expected to be encoded within a link that can be launched automatically when the user clicks on the link. Effectiveness: Limited
Automated Static Analysis - Binary or Bytecode	According to SOAR [REF-1479], the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis Effectiveness: SOAR Partial
Manual Static Analysis - Binary or Bytecode	According to SOAR [REF-1479], the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies Effectiveness: SOAR Partial
Dynamic Analysis with Automated Results Interpretation	According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Web Application Scanner Effectiveness: High
Dynamic Analysis with Manual Results Interpretation	According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Fuzz Tester Framework-based Fuzzer Effectiveness: High
Manual Static Analysis - Source Code	According to SOAR [REF-1479], the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections) Effectiveness: SOAR Partial
Automated Static Analysis - Source Code	According to SOAR [REF-1479], the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Effectiveness: SOAR Partial
Architecture or Design Review	According to SOAR [REF-1479], the following detection techniques may be useful: Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Effectiveness: SOAR Partial

Memberships

Nature	Type	ID	Name
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	635	Weaknesses Originally Used by NVD from 2008 to 2016
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	716	OWASP Top Ten 2007 Category A5 - Cross Site Request Forgery (CSRF)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	751	2009 Top 25 - Insecure Interaction Between Components
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	801	2010 Top 25 - Insecure Interaction Between Components
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	814	OWASP Top Ten 2010 Category A5 - Cross-Site Request Forgery(CSRF)
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	864	2011 Top 25 - Insecure Interaction Between Components
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	884	CWE Cross-section
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	936	OWASP Top Ten 2013 Category A8 - Cross-Site Request Forgery (CSRF)
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1200	Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1337	Weaknesses in the 2021 CWE Top 25 Most Dangerous Software Weaknesses
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1345	OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1350	Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1387	Weaknesses in the 2022 CWE Top 25 Most Dangerous Software Weaknesses
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1411	Comprehensive Categorization: Insufficient Verification of Data Authenticity
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1425	Weaknesses in the 2023 CWE Top 25 Most Dangerous Software Weaknesses
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1430	Weaknesses in the 2024 CWE Top 25 Most Dangerous Software Weaknesses
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1435	Weaknesses in the 2025 CWE Top 25 Most Dangerous Software Weaknesses
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1436	OWASP Top Ten 2025 Category A01:2025 - Broken Access Control

Vulnerability Mapping Notes

Usage	ALLOWED (this CWE ID may be used to map to real-world vulnerabilities)
Reason	Other
Rationale	This is a well-known Composite of multiple weaknesses that must all occur simultaneously, although it is attack-oriented in nature.
Comments	While attack-oriented composites are supported in CWE, they have not been a focus of research. There is a chance that future research or CWE scope clarifications will change or deprecate them. Perform root-cause analysis to determine if other weaknesses allow CSRF attacks to occur, and map to those weaknesses. For example, predictable CSRF tokens might allow bypass of CSRF protection mechanisms; if this occurs, they might be better characterized as randomness/predictability weaknesses.

Notes

Relationship

There can be a close relationship between XSS and CSRF (CWE-352). An attacker might use CSRF in order to trick the victim into submitting requests to the server in which the requests contain an XSS payload. A well-known example of this was the Samy worm on MySpace [REF-956]. The worm used XSS to insert malicious HTML sequences into a user's profile and add the attacker as a MySpace friend. MySpace friends of that victim would then execute the payload to modify their own profiles, causing the worm to propagate exponentially. Since the victims did not intentionally insert the malicious script themselves, CSRF was a root cause.

Theoretical

The CSRF topology is multi-channel:

Attacker (as outsider) to intermediary (as user). The interaction point is either an external or internal channel.
Intermediary (as user) to server (as victim). The activation point is an internal channel.

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
PLOVER			Cross-Site Request Forgery (CSRF)
OWASP Top Ten 2007	A5	Exact	Cross Site Request Forgery (CSRF)
WASC	9		Cross-site Request Forgery

Related Attack Patterns

CAPEC-ID	Attack Pattern Name
CAPEC-111	JSON Hijacking (aka JavaScript Hijacking)
CAPEC-462	Cross-Domain Search Timing
CAPEC-467	Cross Site Identification
CAPEC-62	Cross Site Request Forgery

References

[REF-44]	Michael Howard, David LeBlanc and John Viega. "24 Deadly Sins of Software Security". "Sin 2: Web-Server Related Vulnerabilities (XSS, XSRF, and Response Splitting)." Page 37. McGraw-Hill. 2010.
[REF-329]	Peter W. "Cross-Site Request Forgeries (Re: The Dangers of Allowing Users to Post Images)". Bugtraq. <https://marc.info/?l=bugtraq&m=99263135911884&w=2>. (URL validated: 2025-07-24)
[REF-330]	OWASP. "Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet". <https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html>. (URL validated: 2025-07-24)
[REF-331]	Edward W. Felten and William Zeller. "Cross-Site Request Forgeries: Exploitation and Prevention". 2008-10-18. <https://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.147.1445>. (URL validated: 2023-04-07)
[REF-332]	Robert Auger. "CSRF - The Cross-Site Request Forgery (CSRF/XSRF) FAQ". <https://www.cgisecurity.com/csrf-faq.html>. (URL validated: 2025-07-24)
[REF-333]	"Cross-site request forgery". Wikipedia. 2008-12-22. <https://en.wikipedia.org/wiki/Cross-site_request_forgery>. (URL validated: 2023-04-07)
[REF-334]	Jason Lam. "Top 25 Series - Rank 4 - Cross Site Request Forgery". SANS Software Security Institute. 2010-03-03. <https://www.sans.org/blog/top-25-series-rank-4-cross-site-request-forgery>. (URL validated: 2025-07-29)
[REF-335]	Jeff Atwood. "Preventing CSRF and XSRF Attacks". 2008-10-14. <https://blog.codinghorror.com/preventing-csrf-and-xsrf-attacks/>. (URL validated: 2023-04-07)
[REF-45]	OWASP. "OWASP Enterprise Security API (ESAPI) Project". <https://owasp.org/www-project-enterprise-security-api/>. (URL validated: 2025-07-24)
[REF-956]	Wikipedia. "Samy (computer worm)". <https://en.wikipedia.org/wiki/Samy_(computer_worm)>. (URL validated: 2018-01-16)
[REF-1479]	Gregory Larsen, E. Kenneth Hong Fong, David A. Wheeler and Rama S. Moorthy. "State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation". 2014-07. <https://www.ida.org/-/media/feature/publications/s/st/stateoftheart-resources-soar-for-software-vulnerability-detection-test-and-evaluation/p-5061.ashx>. (URL validated: 2025-09-05)
[REF-1482]	D3FEND. "D3FEND: D3-TL Trusted Library". <https://d3fend.mitre.org/technique/d3f:TrustedLibrary/>. (URL validated: 2025-09-06)

Content History

Submissions
Submission Date	Submitter	Organization
2006-07-19 (CWE Draft 3, 2006-07-19)	PLOVER
2006-07-19 (CWE Draft 3, 2006-07-19)
Contributions
Contribution Date	Contributor	Organization
2024-02-29 (CWE 4.17, 2025-04-03)	Abhi Balakrishnan
2024-02-29 (CWE 4.17, 2025-04-03)	Contributed usability diagram concepts used by the CWE team.
Modifications
Modification Date	Modifier	Organization
2025-12-11 (CWE 4.19, 2025-12-11)	CWE Content Team	MITRE
2025-12-11 (CWE 4.19, 2025-12-11)	updated Applicable_Platforms, Relationships, Weakness_Ordinalities
2025-09-09 (CWE 4.18, 2025-09-09)	CWE Content Team	MITRE
2025-09-09 (CWE 4.18, 2025-09-09)	updated Detection_Factors, Potential_Mitigations, References
2025-04-03 (CWE 4.17, 2025-04-03)	CWE Content Team	MITRE
2025-04-03 (CWE 4.17, 2025-04-03)	updated Alternate_Terms, Common_Consequences, Description, Diagram
2024-11-19 (CWE 4.16, 2024-11-19)	CWE Content Team	MITRE
2024-11-19 (CWE 4.16, 2024-11-19)	updated Relationships
2023-06-29	CWE Content Team	MITRE
2023-06-29	updated Mapping_Notes, Relationships
2023-04-27	CWE Content Team	MITRE
2023-04-27	updated References, Relationships
2022-06-28	CWE Content Team	MITRE
2022-06-28	updated Relationships
2021-10-28	CWE Content Team	MITRE
2021-10-28	updated Relationships
2021-07-20	CWE Content Team	MITRE
2021-07-20	updated Relationships
2020-08-20	CWE Content Team	MITRE
2020-08-20	updated Relationships
2020-06-25	CWE Content Team	MITRE
2020-06-25	updated Relationships, Theoretical_Notes
2020-02-24	CWE Content Team	MITRE
2020-02-24	updated Relationships
2019-09-19	CWE Content Team	MITRE
2019-09-19	updated Relationships
2018-03-27	CWE Content Team	MITRE
2018-03-27	updated References, Relationship_Notes, Research_Gaps
2017-11-08	CWE Content Team	MITRE
2017-11-08	updated Applicable_Platforms, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships
2015-12-07	CWE Content Team	MITRE
2015-12-07	updated Relationships
2014-07-30	CWE Content Team	MITRE
2014-07-30	updated Detection_Factors
2013-07-17	CWE Content Team	MITRE
2013-07-17	updated References, Relationships
2013-02-21	CWE Content Team	MITRE
2013-02-21	updated Relationships
2012-10-30	CWE Content Team	MITRE
2012-10-30	updated Potential_Mitigations
2012-05-11	CWE Content Team	MITRE
2012-05-11	updated Related_Attack_Patterns, Relationships
2011-09-13	CWE Content Team	MITRE
2011-09-13	updated Potential_Mitigations, References
2011-06-27	CWE Content Team	MITRE
2011-06-27	updated Relationships
2011-06-01	CWE Content Team	MITRE
2011-06-01	updated Common_Consequences
2011-03-29	CWE Content Team	MITRE
2011-03-29	updated Description
2010-09-27	CWE Content Team	MITRE
2010-09-27	updated Potential_Mitigations
2010-06-21	CWE Content Team	MITRE
2010-06-21	updated Common_Consequences, Detection_Factors, Potential_Mitigations, References, Relationships
2010-02-16	CWE Content Team	MITRE
2010-02-16	updated Applicable_Platforms, Detection_Factors, References, Relationships, Taxonomy_Mappings
2009-12-28	CWE Content Team	MITRE
2009-12-28	updated Common_Consequences, Demonstrative_Examples, Detection_Factors, Likelihood_of_Exploit, Observed_Examples, Potential_Mitigations, Time_of_Introduction
2009-05-27	CWE Content Team	MITRE
2009-05-27	updated Demonstrative_Examples, Related_Attack_Patterns
2009-05-20	Tom Stracener
2009-05-20	Added demonstrative example for profile.
2009-03-10	CWE Content Team	MITRE
2009-03-10	updated Potential_Mitigations
2009-01-12	CWE Content Team	MITRE
2009-01-12	updated Applicable_Platforms, Description, Likelihood_of_Exploit, Observed_Examples, Other_Notes, Potential_Mitigations, References, Relationship_Notes, Relationships, Research_Gaps, Theoretical_Notes
2008-09-08	CWE Content Team	MITRE
2008-09-08	updated Alternate_Terms, Description, Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings
2008-07-01	Eric Dalci	Cigital
2008-07-01	updated Time_of_Introduction

Common Weakness Enumeration

CWE VIEW: Weaknesses in OWASP Top Ten RC1 (2025)

View Components

CWE-36: Absolute Path Traversal

Edit Custom Filter

CWE-489: Active Debug Code

Edit Custom Filter

CWE-11: ASP.NET Misconfiguration: Creating Debug Binary

Edit Custom Filter

CWE-1174: ASP.NET Misconfiguration: Improper Model Validation

Edit Custom Filter

CWE-13: ASP.NET Misconfiguration: Password in Configuration File

Edit Custom Filter

CWE-289: Authentication Bypass by Alternate Name

Edit Custom Filter

CWE-302: Authentication Bypass by Assumed-Immutable Data

Edit Custom Filter

CWE-294: Authentication Bypass by Capture-replay

Edit Custom Filter

CWE-305: Authentication Bypass by Primary Weakness

Edit Custom Filter

CWE-290: Authentication Bypass by Spoofing

Edit Custom Filter

CWE-288: Authentication Bypass Using an Alternate Path or Channel

Edit Custom Filter

CWE-639: Authorization Bypass Through User-Controlled Key

Edit Custom Filter

CWE-566: Authorization Bypass Through User-Controlled SQL Primary Key

Edit Custom Filter

CWE-300: Channel Accessible by Non-Endpoint

Edit Custom Filter

CWE-313: Cleartext Storage in a File or on Disk

Edit Custom Filter

CWE-312: Cleartext Storage of Sensitive Information

Edit Custom Filter

CWE-315: Cleartext Storage of Sensitive Information in a Cookie

Edit Custom Filter

CWE-526: Cleartext Storage of Sensitive Information in an Environment Variable

Edit Custom Filter

CWE-316: Cleartext Storage of Sensitive Information in Memory

Edit Custom Filter

CWE-319: Cleartext Transmission of Sensitive Information

Edit Custom Filter

CWE-602: Client-Side Enforcement of Server-Side Security

Edit Custom Filter

CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Edit Custom Filter

CWE CATEGORY: Configuration

CWE-379: Creation of Temporary File in Directory with Insecure Permissions

Edit Custom Filter

CWE-493: Critical Public Variable Without Final Modifier

Edit Custom Filter

CWE-352: Cross-Site Request Forgery (CSRF)

Edit Custom Filter

CWE-396: Declaration of Catch for Generic Exception

Edit Custom Filter

CWE-397: Declaration of Throws for Generic Exception

Edit Custom Filter

CWE-1395: Dependency on Vulnerable Third-Party Component

Edit Custom Filter

CWE-502: Deserialization of Untrusted Data

Edit Custom Filter

CWE-390: Detection of Error Condition Without Action

Edit Custom Filter

CWE-425: Direct Request ('Forced Browsing')

Edit Custom Filter

CWE-369: Divide By Zero

Edit Custom Filter

CWE-494: Download of Code Without Integrity Check

Edit Custom Filter

CWE-506: Embedded Malicious Code

Edit Custom Filter

CWE-258: Empty Password in Configuration File

Edit Custom Filter

CWE-1125: Excessive Attack Surface

Edit Custom Filter

CWE-749: Exposed Dangerous Method or Function

Edit Custom Filter

CWE-548: Exposure of Information Through Directory Listing

Edit Custom Filter