Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-471 (对假设不可变数据的修改(MAID)) — Vulnerability Class 29

29 vulnerabilities classified as CWE-471 (对假设不可变数据的修改(MAID)). AI Chinese analysis included.

CWE-471 represents a critical integrity weakness where an application fails to protect data elements it incorrectly assumes are immutable. This vulnerability typically arises when developers treat sensitive inputs, such as hidden form fields, cookies, or reverse DNS lookups, as read-only configuration values rather than untrusted user data. Attackers exploit this flaw by manipulating these assumed-fixed values to bypass security controls, escalate privileges, or alter application logic. For instance, modifying a hidden field to change a user’s role can grant unauthorized access. To mitigate this risk, developers must strictly validate and sanitize all user-supplied inputs, regardless of their source or apparent immutability. Implementing server-side integrity checks and avoiding reliance on client-side constraints ensures that critical data remains protected from unauthorized modification, thereby maintaining the application’s security posture.

MITRE CWE Description
The product does not properly protect an assumed-immutable element from being modified by an attacker. This occurs when a particular input is critical enough to the functioning of the application that it should not be modifiable at all, but it is. Certain resources are often assumed to be immutable when they are not, such as hidden form fields in web applications, cookies, and reverse DNS lookups.
Common Consequences (2)
IntegrityModify Application Data
Common data types that are attacked are environment variables, web application parameters, and HTTP headers.
IntegrityUnexpected State
Mitigations (1)
Architecture and Design, Operation, ImplementationWhen the data is stored or transmitted through untrusted sources that could modify the data, implement integrity checks to detect unauthorized modification, or store/transmit the data in a trusted location that is free from external influence.
Examples (1)
In the code excerpt below, an array returned by a Java method is modified despite the fact that arrays are mutable.
String[] colors = car.getAllPossibleColors(); colors[0] = "Red";
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2025-33136 IBM Aspera Faspex data modification — Aspera Faspex 7.1 High2025-05-22
CVE-2024-9876 Application is vulnerable to Privilege escalation — ANC 7.3 High2025-04-30
CVE-2024-55551 Exasol JDBC Driver 安全漏洞 — JDBC driver 8.3 High2025-03-19
CVE-2024-45672 IBM Security Verify Bridge data manipulation — Security Verify Bridge 6.0 Medium2025-01-23
CVE-2024-51462 IBM QRadar WinCollect Agent data manipulation — QRadar WinCollect Agent 4.0 Medium2025-01-17
CVE-2024-34517 Neo4j 安全漏洞 — Neo4j 6.5 Medium2024-05-07
CVE-2023-46232 era-compiler-vyper First Immutable Variable Initialization vulnerability — era-compiler-vyper 5.3 Medium2023-10-25
CVE-2023-43697 SICK APU 安全漏洞 — APU0200 6.5 Medium2023-10-09
CVE-2023-2904 CVE-2023-2904 — SAFE 8.1 -2023-06-07
CVE-2022-2390 Mutable pending intent in Google Play services SDK — Play Services SDK 6.1 Medium2022-08-12
CVE-2022-1561 Crafted backend URLs in Lura Project — Lura Project 4.0 Medium2022-08-01
CVE-2022-21824 nodejs 代码注入漏洞 — Node 8.2 -2022-02-24
CVE-2021-24046 Ray-Ban Stories安全漏洞 — Ray-Ban® Stories Smart Glasses 5.3 -2022-01-14
CVE-2021-42701 AzeoTech DAQFactory — DAQFactory 5.0 Medium2021-11-05
CVE-2021-37193 Siemens SINEMA Remote Connect Server 安全漏洞 — SINEMA Remote Connect Server 4.3 -2021-09-14
CVE-2021-37177 Siemens SINEMA Remote Connect Server 访问控制错误漏洞 — SINEMA Remote Connect Server 6.5 -2021-09-14
CVE-2020-26268 Write to immutable memory region in TensorFlow — tensorflow 4.4 Medium2020-12-10
CVE-2020-26237 Prototype Pollution in highlight.js — highlight.js 5.8 Medium2020-11-24
CVE-2020-8268 json8-merge-patch 输入验证错误漏洞 — json8-merge-patch 8.2 -2020-11-09
CVE-2020-15256 Prototype pollution in object-path — object-path 7.7 High2020-10-19
CVE-2020-8158 TypeORM SQL注入漏洞 — typeorm 9.8 -2020-09-18
CVE-2020-8147 npm package utils-extend 输入验证错误漏洞 — utils-extend 9.8 -2020-04-03
CVE-2020-8116 dot-prop 安全漏洞 — dot-prop 6.5 -2020-02-04
CVE-2018-3719 mixin-deep 安全漏洞 — mixin-deep node module 8.8 -2018-06-07
CVE-2018-3723 defaults-deep 输入验证漏洞 — defaults-deep node module 8.8 -2018-06-07
CVE-2018-3722 merge-deep node模块安全漏洞 — merge-deep node module 8.8 -2018-06-07
CVE-2018-3721 lodash node模块安全漏洞 — lodash node module 8.8 -2018-06-07
CVE-2018-3720 assign-deep node模块安全漏洞 — assign-deep node module 8.8 -2018-06-07
CVE-2018-3728 Hoek 访问控制错误漏洞 — hoek node module 8.8 -2018-03-30

Vulnerabilities classified as CWE-471 (对假设不可变数据的修改(MAID)) represent 29 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.