Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-914 (动态识别变量的控制不恰当) — Vulnerability Class 5

5 vulnerabilities classified as CWE-914 (动态识别变量的控制不恰当). AI Chinese analysis included.

CWE-914 represents a critical code quality weakness where software fails to properly restrict access to dynamically-identified variables. This vulnerability arises when developers utilize language features that allow arbitrary variable access based on input strings, such as PHP’s $$ syntax or Python’s eval functions. Attackers typically exploit this by manipulating input data to overwrite sensitive variables, leading to unauthorized data modification, privilege escalation, or remote code execution. To mitigate this risk, developers must rigorously validate and sanitize all user-supplied inputs before they are used to construct variable names. Implementing strict allowlists for permitted variable identifiers, avoiding dynamic variable resolution whenever possible, and employing secure coding practices that separate data from code structure are essential strategies. By enforcing these controls, organizations can prevent attackers from hijacking program logic through malicious variable manipulation.

MITRE CWE Description
The product does not properly restrict reading from or writing to dynamically-identified variables. Many languages offer powerful features that allow the programmer to access arbitrary variables that are specified by an input string. While these features can offer significant flexibility and reduce development time, they can be extremely dangerous if attackers can modify unintended variables that have security implications.
Common Consequences (3)
IntegrityModify Application Data
An attacker could modify sensitive data or program variables.
IntegrityExecute Unauthorized Code or Commands
Other, IntegrityVaries by Context, Alter Execution Logic
Mitigations (2)
ImplementationFor any externally-influenced input, check the input against an allowlist of internal program variables that are allowed to be modified.
Implementation, Architecture and DesignRefactor the code so that internal program variables do not need to be dynamically identified.
Examples (1)
This code uses the credentials sent in a POST request to login a user.
//Log user in, and set $isAdmin to true if user is an administrator function login($user,$pass){ $query = buildQuery($user,$pass); mysql_query($query); if(getUserRole($user) == "Admin"){ $isAdmin = true; } } $isAdmin = false; extract($_POST); login(mysql_real_escape_string($user),mysql_real_escape_string($pass));
Bad · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2025-14085 youlaitech youlai-mall orders improper control of dynamically-identified variables — youlai-mall 6.3 Medium2025-12-05
CVE-2025-14051 youlaitech youlai-mall addresses deleteAddress improper control of dynamically-identified variables — youlai-mall 6.3 Medium2025-12-04
CVE-2024-54198 Information Disclosure vulnerability through Remote Function Call (RFC) in SAP NetWeaver Application Server ABAP — SAP NetWeaver Application Server ABAP 8.5 High2024-12-10
CVE-2024-24914 Check Point Gaia Portal 安全漏洞 — ClusterXL, Multi-Domain Security Management, Quantum Appliances, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, Quantum Security Management 8.0 High2024-11-07
CVE-2023-33175 ToUI allows user-specific variables to be shared between users — ToUI 9.1 Critical2023-05-30

Vulnerabilities classified as CWE-914 (动态识别变量的控制不恰当) represent 5 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.