Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-488 (对错误会话暴露数据元素) — Vulnerability Class 20

20 vulnerabilities classified as CWE-488 (对错误会话暴露数据元素). AI Chinese analysis included.

CWE-488 represents a critical architectural flaw where an application fails to enforce strict boundaries between distinct user sessions, allowing sensitive data to inadvertently leak from one context to another. This weakness is typically exploited when developers improperly utilize shared resources, such as singleton objects or connection pools, storing session-specific state in static member variables or class-level fields. Consequently, a subsequent user may access data belonging to a previous user, leading to severe confidentiality breaches or unauthorized actions. To mitigate this risk, developers must ensure that all session-dependent data is stored in thread-safe, instance-specific scopes rather than global or static memory. Implementing robust session management frameworks and rigorously auditing code for improper state sharing in multi-threaded environments are essential practices to prevent data bleeding and maintain strict isolation between concurrent user interactions.

MITRE CWE Description
The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session. Data can "bleed" from one session to another through member variables of singleton objects, such as Servlets, and objects from a shared pool. In the case of Servlets, developers sometimes do not understand that, unless a Servlet implements the SingleThreadModel interface, the Servlet is a singleton; there is only one instance of the Servlet, and that single instance is used and re-used to handle multiple requests that are processed simultaneously by different threads. A common result is that developers use Servlet member fields in such a way that one user may inadvertently see another user's data. In other words, storing user data in Servlet member fields introduces a data access race condition.
Common Consequences (1)
ConfidentialityRead Application Data
Mitigations (3)
Architecture and DesignProtect the application's sessions from information leakage. Make sure that a session's data is not used or visible by other sessions.
TestingUse a static analysis tool to scan the code for information leakage vulnerabilities (e.g. Singleton Member Field).
Architecture and DesignIn a multithreading environment, storing user data in Servlet member fields introduces a data access race condition. Do not use member fields to store information in the Servlet.
Examples (1)
The following Servlet stores the value of a request parameter in a member field and then later echoes the parameter value to the response output stream.
public class GuestBook extends HttpServlet { String name; protected void doPost (HttpServletRequest req, HttpServletResponse res) { name = req.getParameter("name"); ... out.println(name + ", thanks for visiting!"); } }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-34391 Fleet Vulnerable to Windows MDM cross-device command disclosure — fleet 6.5 -2026-03-27
CVE-2026-23919 Insufficient isolation of JavaScript (Duktape) execution context on Zabbix Server — Zabbix 2.7 -2026-03-24
CVE-2026-27492 Lettermint Node.js SDK leaks email properties to unintended recipients when client instance is reused — lettermint-node 4.7 Medium2026-02-21
CVE-2026-23844 Whisper Money has IDOR Vulnerability on sync/balances endpoint — whisper-money 6.5AIMediumAI2026-01-19
CVE-2026-23646 OpenProject users can delete other user's session, causing them to be logged out — openproject 6.5 Medium2026-01-19
CVE-2025-24934 SO_REUSEPORT_LB breaks connect(2) for UDP sockets — FreeBSD 6.2AIMediumAI2025-10-22
CVE-2025-47928 Spotipy repo vulnerable to secrets exfiltration via `pull_request_target` — spotipy 9.1 Critical2025-05-15
CVE-2025-2312 cifs.upcall makes an upcall to the wrong namespace in containerized environments — cifs-utils 5.9 Medium2025-03-25
CVE-2025-27606 Element Android PIN autologout bypass — element-android 5.1 Medium2025-03-14
CVE-2025-1247 Io.quarkus:quarkus-rest: quarkus rest endpoint request parameter leakage due to shared instance 8.3 High2025-02-13
CVE-2023-1907 Pgadmin: users authenticated simultaneously via ldap may be attached to the wrong session 8.0 High2025-01-09
CVE-2024-11094 404 Solution <= 2.35.17 - Missing Authentication to Sensitive Information Exposure — 404 Solution 5.3 Medium2024-11-16
CVE-2024-7049 Exposure of Token in open-webui/open-webui — open-webui/open-webui 8.1AIHighAI2024-10-10
CVE-2024-5148 Gnome-remote-desktop: inadequate validation of session agents using d-bus methods may expose rdp tls certificate 7.5 High2024-09-02
CVE-2024-41977 Siemens多款产品 安全漏洞 — RUGGEDCOM RM1224 LTE(4G) EU 7.1 High2024-08-13
CVE-2024-38367 CoacoaPods trunk sessions verification step could be manipulated for owner session hijacking — CocoaPods 8.2 High2024-07-01
CVE-2024-6162 Undertow: url-encoded request path information can be broken on ajp-listener 7.5 High2024-06-20
CVE-2024-1223 Improper authorization controls in PaperCut NG/MF — PaperCut NG, PaperCut MF 4.8 Medium2024-03-14
CVE-2024-27935 Deno's Node.js Compatibility Runtime has Cross-Session Data Contamination — deno 7.2 High2024-03-06
CVE-2023-6519 Seeing admin password hash value in Mia Technology's Mia-Med — MİA-MED 7.5 High2024-02-08

Vulnerabilities classified as CWE-488 (对错误会话暴露数据元素) represent 20 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.