Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities

New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE Top 25 > 2023 Stubborn Weaknesses in the CWE Top 25  

Stubborn Weaknesses in the CWE Top 25

Over the span of the last five publications of the CWE Top 25 Most Dangerous Software Weaknesses (2019-2023), there are 15 weaknesses that have been present in every list. This suggests that despite ongoing visibility to the community, these 15 weaknesses represent the most challenging weaknesses that exist today. A more focused training effort is needed to enhance developer practices to ensure that these weaknesses do not continue to introduce unnecessary risk to customer data and services.

The table below notes these especially stubborn weaknesses. Also, table includes references to proposed mitigations for each CWE that can be incorporated into software development programs and training material to reduce occurrences/impact of that CWE.

Table 1. Stubborn Weaknesses in the CWE Top 25

CWE-ID Description Potential Mitigation(s) 2023 Rank
CWE-787 Out-of-bounds Write View 1
CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) View 2
CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) View 3
CWE-416 Use After Free View 4
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View 5
CWE-20 Improper Input Validation View 6
CWE-125 Out-of-bounds Read View 7
CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) View 8
CWE-352 Cross-Site Request Forgery (CSRF) View 9
CWE-476 NULL Pointer Dereference View 12
CWE-287 Improper Authentication View 13
CWE-190 Integer Overflow or Wraparound View 14
CWE-502 Deserialization of Untrusted Data View 15
CWE-119 Improper Restriction of Operations within Bounds of a Memory Buffer View 17
CWE-798 Use of Hard-coded Credentials View 18

Each of the stubborn weaknesses identified above can be viewed as falling within one of three informal groupings:

  1. Error prone processing of data originating from untrusted sources that often results in an initial entry point for an attacker to compromise an IT system.
    CWE-20, CWE-22, CWE-78, CWE-79, CWE-89, CWE-125, and CWE-502 are in this group. Six (out of seven) of these weaknesses have been in the top 10 for the last three years.

  2. Weaknesses associated with languages that do not have strong support for memory management or type enforcement.
    CWE-119, CWE-190, CWE-416, CWE-787, and CWE-476 are in this group. Of these, CWE-787, CWE-416, and CWE-352 were ranked in the top 10 for all five years, while CWE-476, CWE-287, and CWE-798 were mainstays in positions 12-20.

  3. Weaknesses introduced into a system because of a poor security architecture or poor security design choices.
    CWE-352, CWE-287, and CWE-798 are in this group.

It is notable that, although memory management weaknesses continue to be a source of many reported vulnerabilities, it can also be observed that there is some traction in the community in reducing these types of weakness. During the 5-year evaluation period, CWE-119 fell from rank 1 (in year 1) to rank 17 (in year 5) and CWE-190 fell from rank 5 (in year 1) to rank 7 (in year 5). These are small but encouraging developments.

These improvements could be attributed to increased focus on memory weaknesses and mitigations as demonstrated by recent community interest in memory safety issues, as exhibited by:

While all of these stubborn weaknesses continue to be an issue, they can be prevented and mitigated in numerous ways across the lifecycle. The community should continue to push toward moving security left to the architecture and design phases of the lifecycle with proper design and selection of tools for the task at hand.

NOTE: This page was revised on September 19, 2023, to update text and links to the most current information.

Page Last Updated: September 18, 2023