Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-470 (使用外部可控制的输入来选择类或代码(不安全的反射)) — Vulnerability Class 35

35 vulnerabilities classified as CWE-470 (使用外部可控制的输入来选择类或代码(不安全的反射)). AI Chinese analysis included.

CWE-470 represents a critical input validation weakness where applications utilize reflection to dynamically select classes or methods based on externally controlled data without adequate safeguards. Attackers typically exploit this vulnerability by injecting malicious payloads that reference unintended or dangerous classes, potentially leading to remote code execution, denial of service, or unauthorized access to sensitive system resources. This occurs because the application blindly trusts user-supplied strings to determine program flow, bypassing standard security controls. To mitigate this risk, developers must implement strict allow-listing mechanisms that restrict reflection to a predefined set of safe, expected classes. Additionally, input sanitization and rigorous validation should be applied to ensure that only authorized identifiers are processed, effectively neutralizing the threat of arbitrary code execution through unsafe reflection.

MITRE CWE Description
The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code. If the product uses external inputs to determine which class to instantiate or which method to invoke, then an attacker could supply values to select unexpected classes or methods. If this occurs, then the attacker could create control flow paths that were not intended by the developer. These paths could bypass authentication or access control checks, or otherwise cause the product to behave in an unexpected manner. This situation becomes a doomsday scenario if the attacker can upload files into a location that appears on the product's classpath (CWE-427) or add new entries to the product's classpath (CWE-426). Under either of these conditions, the attacker can use reflection to introduce new, malicious behavior into the product.
Common Consequences (3)
Integrity, Confidentiality, Availability, OtherExecute Unauthorized Code or Commands, Alter Execution Logic
The attacker might be able to execute code that is not directly accessible to the attacker. Alternately, the attacker could call unexpected code in the wrong place or the wrong time, possibly modifying critical system state.
Availability, OtherDoS: Crash, Exit, or Restart, Other
The attacker might be able to use reflection to call the wrong code, possibly with unexpected arguments that violate the API (CWE-227). This could cause the product to exit or hang.
ConfidentialityRead Application Data
By causing the wrong code to be invoked, the attacker might be able to trigger a runtime error that leaks sensitive information in the error message, such as CWE-536.
Mitigations (3)
Architecture and DesignRefactor your code to avoid using reflection.
Architecture and DesignDo not use user-controlled inputs to select and load classes or code.
ImplementationApply strict input validation by using allowlists or indirect selection to ensure that the user is only selecting allowable classes or code.
Examples (1)
A common reason that programmers use the reflection API is to implement their own command dispatcher. The following example shows a command dispatcher that does not use reflection:
String ctl = request.getParameter("ctl"); Worker ao = null; if (ctl.equals("Add")) { ao = new AddCommand(); } else if (ctl.equals("Modify")) { ao = new ModifyCommand(); } else { throw new UnknownActionError(); } ao.doAction(request);
Good · Java
String ctl = request.getParameter("ctl"); Class cmdClass = Class.forName(ctl + "Command"); Worker ao = (Worker) cmdClass.newInstance(); ao.doAction(request);
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2022-41853 Remote code execution in HyperSQL DataBase — hsqldb 8.0 High2022-10-06
CVE-2022-23744 Check Point Endpoint Security Client 安全漏洞 — Enterprise Endpoint Security Windows Clients. 3.4 -2022-07-07
CVE-2020-7857 Tobesoft Xplatform 输入验证错误漏洞 — XPlatform 7.5 High2021-04-20
CVE-2019-10174 Red Hat Infinispan 安全漏洞 — infinispan 9.1 -2019-11-25
CVE-2019-3834 Red Hat JBoss Operations Network 安全漏洞 — struts 8.6 -2019-10-03

Vulnerabilities classified as CWE-470 (使用外部可控制的输入来选择类或代码(不安全的反射)) represent 35 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.