Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-913 (动态管理代码资源的控制不恰当) — Vulnerability Class 47

47 vulnerabilities classified as CWE-913 (动态管理代码资源的控制不恰当). AI Chinese analysis included.

CWE-913 represents a critical weakness where software fails to properly restrict access to dynamically-managed code resources, including variables, objects, classes, and executable instructions. This vulnerability typically arises in languages supporting dynamic code generation or modification, such as JavaScript or Python, where attackers exploit insufficient validation to inject malicious scripts or alter runtime behavior. By manipulating these dynamic elements, adversaries can achieve remote code execution, data injection, or privilege escalation, bypassing standard security controls. To mitigate this risk, developers must enforce strict input validation and sanitization on all dynamic inputs. Implementing robust access controls, utilizing secure coding frameworks that limit dynamic execution capabilities, and adopting a principle of least privilege for runtime environments are essential strategies. Regular security audits and static analysis tools further help identify and remediate these dangerous dynamic resource interactions before deployment.

MITRE CWE Description
The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements. Many languages offer powerful features that allow the programmer to dynamically create or modify existing code, or resources used by code such as variables and objects. While these features can offer significant flexibility and reduce development time, they can be extremely dangerous if attackers can directly influence these code resources in unexpected ways.
Common Consequences (2)
IntegrityExecute Unauthorized Code or Commands
Other, IntegrityVaries by Context, Alter Execution Logic
Mitigations (2)
ImplementationFor any externally-influenced input, check the input against an allowlist of acceptable values.
Implementation, Architecture and DesignRefactor the code so that it does not need to be dynamically managed.
Examples (2)
This example attempts to write user messages to a message file and allow users to view them.
$MessageFile = "messages.out"; if ($_GET["action"] == "NewMessage") { $name = $_GET["name"]; $message = $_GET["message"]; $handle = fopen($MessageFile, "a+"); fwrite($handle, "<b>$name</b> says '$message'<hr>\n"); fclose($handle); echo "Message Saved!<p>\n"; } else if ($_GET["action"] == "ViewMessages") { include($MessageFile); }
Bad · PHP
name=h4x0r message=%3C?php%20system(%22/bin/ls%20-l%22);?%3E
Attack
A common reason that programmers use the reflection API is to implement their own command dispatcher. The following example shows a command dispatcher that does not use reflection:
String ctl = request.getParameter("ctl"); Worker ao = null; if (ctl.equals("Add")) { ao = new AddCommand(); } else if (ctl.equals("Modify")) { ao = new ModifyCommand(); } else { throw new UnknownActionError(); } ao.doAction(request);
Good · Java
String ctl = request.getParameter("ctl"); Class cmdClass = Class.forName(ctl + "Command"); Worker ao = (Worker) cmdClass.newInstance(); ao.doAction(request);
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-34156 NocoBase Affected by Sandbox Escape to RCE via console._stdout Prototype Chain Traversal in Workflow Script Node — nocobase 10.0 Critical2026-03-31
CVE-2026-33286 Graphiti Affected by Arbitrary Method Execution via Unvalidated Relationship Names — graphiti 9.1 Critical2026-03-23
CVE-2025-69219 Apache Airflow Providers Http: Unsafe Pickle Deserialization in apache-airflow-providers-http leading to RCE via HttpOperator — Apache Airflow Providers Http 8.8AIHighAI2026-03-09
CVE-2026-25049 n8n Has an Expression Escape Vulnerability Leading to RCE — n8n 9.9AICriticalAI2026-02-04
CVE-2026-1770 Improper Control of Dynamically-Managed Code Resources in Crafter Studio — CrafterCMS 8.8AIHighAI2026-02-02
CVE-2025-68613 n8n Vulnerable to Remote Code Execution via Expression Injection — n8n 10.0 Critical2025-12-19
CVE-2025-14695 SamuNatsu HaloBot Inter-plugin API index.js html_renderer dynamically-managed code resources — HaloBot 6.3 Medium2025-12-15
CVE-2025-13659 Ivanti Endpoint Manager 安全漏洞 — Endpoint Manager 8.8 High2025-12-09
CVE-2025-13426 Improper Sandboxing in Google Apigee's JavaCallout Policy Allows for Remote Code Execution — Apigee hybrid Javacallout policy 8.8 -2025-12-05
CVE-2024-5401 Synology DiskStation Manager和Synology Unified Controller 安全漏洞 — DiskStation Manager (DSM) 4.3 Medium2025-12-04
CVE-2025-54065 GZDoom engine allows arbitrary code execution via ZScript actor states — gzdoom 7.8 High2025-12-03
CVE-2025-9905 Arbitary Code execution in Keras load_model() — Keras 7.8 -2025-09-19
CVE-2025-25270 Remote Code Execution via Unauthenticated Configuration Manipulation — CHARX SEC-3150 9.8 Critical2025-07-08
CVE-2025-6705 Eclipse Open VSX 安全漏洞 — Eclipse Open VSX Registry 9.8AICriticalAI2025-06-27
CVE-2025-6384 Improper Control of Dynamically-Managed Code Resources in Crafter Studio — CrafterCMS 8.8AIHighAI2025-06-19
CVE-2025-46675 CryptoLib 安全漏洞 — CryptoLib 3.5 Low2025-04-27
CVE-2025-46673 CryptoLib 安全漏洞 — CryptoLib 4.9 Medium2025-04-27
CVE-2022-31764 Apache ShardingSphere ElasticJob-UI allows RCE via event trace data source JDBC — Apache ShardingSphere ElasticJob-UI 9.8 -2025-02-06
CVE-2024-7297 Langflow Privilege Escalation 8.8 High2024-07-30
CVE-2024-2537 Electron Code Injection in Logi Tune macOS Application — Logi Tune 4.4 Medium2024-03-15
CVE-2024-27135 Apache Pulsar: Improper Input Validation in Pulsar Function Worker allows Remote Code Execution — Apache Pulsar 8.5 High2024-03-12
CVE-2023-6184 Citrix Systems Session Recording 安全漏洞 — Citrix Session Recording 5.0 Medium2024-01-18
CVE-2023-5763 Glassfish remote code execution — Glassfish 6.8 Medium2023-11-03
CVE-2023-37271 RestrictedPython vulnerable to arbitrary code execution via stack frame sandbox escape — RestrictedPython 8.4 High2023-07-11
CVE-2023-35930 LookupResources may return partial results in spicedb — spicedb 3.7 Low2023-06-26
CVE-2023-29199 vm2 Sandbox escape vulnerability — vm2 9.8 Critical2023-04-14
CVE-2023-29017 vm2 Sandbox Escape vulnerability — vm2 10.0 Critical2023-04-06
CVE-2023-25560 JSON Injection in DataHub — datahub 8.2 High2023-02-10
CVE-2022-3225 Improper Control of Dynamically-Managed Code Resources in budibase/budibase — budibase/budibase 8.8 High2022-09-16
CVE-2022-40635 Improper Control of Dynamically-Managed Code Resources in Crafter Studio — Crafter CMS 6.4 Medium2022-09-13

Vulnerabilities classified as CWE-913 (动态管理代码资源的控制不恰当) represent 47 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.