Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-495 (从公开方法中返回私有的数组类型数据域) — Vulnerability Class 1

1 vulnerabilities classified as CWE-495 (从公开方法中返回私有的数组类型数据域). AI Chinese analysis included.

CWE-495 represents a critical design flaw where a public method inadvertently exposes a reference to an internal, private data structure rather than a safe copy or immutable view. This weakness undermines encapsulation, allowing external code to directly manipulate the object’s internal state. Attackers typically exploit this vulnerability by invoking the public accessor to obtain the reference, then modifying the underlying data to corrupt application logic, bypass security checks, or trigger unexpected behaviors. To mitigate this risk, developers must ensure that public interfaces return defensive copies of mutable objects or utilize immutable data types. Additionally, implementing strict access controls and validating data integrity at boundaries can prevent unauthorized modifications, thereby preserving the intended state and security posture of the software system.

MITRE CWE Description
The product has a method that is declared public, but returns a reference to a private data structure, which could then be modified in unexpected ways.
Common Consequences (1)
IntegrityModify Application Data
The contents of the data structure can be modified from outside the intended scope.
Mitigations (3)
ImplementationDeclare the method private.
ImplementationClone the member data and keep an unmodified version of the data private to the object.
ImplementationUse public setter methods that govern how a private member can be modified.
Examples (2)
Here, a public method in a Java class returns a reference to a private array. Given that arrays in Java are mutable, any modifications made to the returned reference would be reflected in the original private array.
private String[] colors; public String[] getColors() { return colors; }
Bad · Java
In this example, the Color class defines functions that return non-const references to private members (an array type and an integer type), which are then arbitrarily altered from outside the control of the class.
class Color { private: int[2] colorArray; int colorValue; public: Color () : colorArray { 1, 2 }, colorValue (3) { }; int[2] & fa () { return colorArray; } // return reference to private array int & fv () { return colorValue; } // return reference to private integer }; int main () { Color c; c.fa () [1] = 42; // modifies private array element c.fv () = 42; // modifies private int return 0; }
Bad · C++
CVE IDTitleCVSSSeverityPublished
CVE-2025-29868 Apache Answer: Using externally referenced images can leak user privacy. — Apache Answer 6.5 -2025-04-01

Vulnerabilities classified as CWE-495 (从公开方法中返回私有的数组类型数据域) represent 1 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.