While this year’s 2023 CWE Top 25 list is very important, it is also important to consider how the list has changed from year to year. This can identify interesting trends in real-world, exploitable weaknesses that can inform security policy and investment decision-making. To observe both upward and downward trends in CWE ranks, we tracked CWEs that have shown consistent movement since the CWE Top 25 list’s inception in 2019.
It is important to note that NVD/Top 25 data is very dynamic year to year due to several factors including the types of vulnerabilities reported each year, changes to the remapping strategy, the addition of new CWE entries into the CWE mapping view, and more. Thus, rankings are less reliable as one goes much beyond “the cusp” (i.e., position #40) using the Top 25 methodology due to data biases (e.g., an increase of a few CVEs in the data can drastically change the position of a CWE between the 60 and 100+ ranks). These factors and their impacts will be discussed in a future publication.
Consistent Upward Movers
The following weaknesses have shown a consistently upward trend in ranking. Software developers and maintainers should be aware of these and consider prioritizing them in their remediation efforts.
- CWE-862: Missing Authorization — CWE-862 started out ranked 36th in 2019, which put it on the cusp. It entered the CWE Top 25 in 2020 ranked 25th and has consistently moved up every year, now ranking 11th in 2023 (the highest among consistently upward movers). This could indicate that developers are not consistently implementing authorization techniques when needed, even though the weakness has been present in the CWE Top 25 since 2020. The community should remain diligent about the implementation of authorization.
- CWE-918: Server-Side Request Forgery (SSRF) — CWE-918 started out ranked 32nd in 2019, also putting it on the cusp. It first entered the CWE Top 25 in 2021 with a rank of 24th. While this CWE has not climbed in rank as much as CWE-862, it has steadily climbed to a rank of 19th in 2023.
- CWE-639: Authorization Bypass Through User-Controlled Key — CWE-639 started out ranked far outside of the top 40 in 2019 but saw a steady climb in rank throughout the following years until making its way to 38th in 2023. This puts CWE-639 “on the cusp” for the first time this year and, considering the upward trends, it will be interesting to keep an eye on and take note of its further movement.
Other Upward Movers
Other upward moving CWEs have never moved down in the rankings but have had at least one year with no rank change. While these trends are not as consistent as CWEs which have increased in ranking every year, they are still interesting to note. These are:
Consistent Downward Movers
Weaknesses that have shown a downward trend in ranking could potentially indicate improved awareness and mitigation from the community, although some of these weaknesses remain in the CWE Top 25. Despite the promising trend, these remain important enough for IT professionals to consider. These downward trending CWEs are described below.
- CWE-190: Integer Overflow or Wraparound — CWE-190 started out ranked 8th in 2019 and is now ranked 14th in 2023. Although this is the least amount of change amongst consistently downward movers, it is notable because of its presence in the Top 25 each year. Regardless of what is causing this downward movement, its current rank shows that more awareness and mitigation is still needed by the community.
- CWE-732: Incorrect Permission Assignment for Critical Resource — CWE-732 started out ranked 15th in 2019 and is now ranked 31st in 2023. It first dropped out of the Top 25 in 2022 and saw a decrease of only one rank in 2023. It is difficult to determine for certain what is causing this steady decrease in rank, but it could possibly be attributed to a greater emphasis on correctly mapping access control CWEs.
- CWE-611: Improper Restriction of XML External Entity Reference — CWE-611 started out ranked 17th in 2019 and is now ranked 28th in 2023. It has decreased in rank steadily, albeit in minor increments, and just recently dropped out of the CWE Top 25 this year.
- CWE-426: Untrusted Search Path — CWE-426 has decreased in rank the most among consistently downward movers, starting out ranked 22nd in 2019 and then completely falling out of the Top 40 starting in 2021. It is unusual for a previous CWE Top 25 weakness to be well below the cusp. Although it only dropped 4 ranks from 2019 to 2020, it has consistently dropped in the rankings from there. This is likely due to more accurate mappings of vulnerabilities to CWE-427: Uncontrolled Search Path Element, which has moved from out of the cusp in 2019 to 27th in 2023. These CWEs share some similarities, so extra care has been taken in recent years to ensure CVE Records are properly mapped between these two.