CWE-374
Passing Mutable Objects to an Untrusted Method
Description
The product sends non-cloned mutable data as an argument to a method or function.
The function or method that has been called can alter or delete the mutable data. This could violate assumptions that the calling function has made about its state. In situations where unknown code is called with references to mutable data, this external code could make changes to the data sent. If this data was not previously cloned, the modified data might not be valid in the context of execution.
Parent Weaknesses (ChildOf)
Common Consequences
Scope
Impact
Modify Memory
Potential Mitigations
Pass in data which should not be altered as constant or immutable.
Clone all mutable data before passing it into an external function . This is the preferred mitigation. This way, regardless of what changes are made to the data, a valid copy is retained for use by the class.
Applicable Platforms
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now