logo

Public Static Final Field References Mutable Object

Draft Variant
Structure: Simple
Description

This vulnerability occurs when a class exposes a public or protected static final field that points to a changeable object. Because the field's reference is constant but the object itself is not, malicious code or even accidental code in other packages can modify the object's contents, violating the intended immutability.

Extended Description

The core issue is a misunderstanding of the `final` keyword in Java and similar languages. When applied to an object reference, `final` only guarantees that the reference itself cannot be reassigned to point to a different object. It does not protect the internal state of the object that the reference points to. If that object is mutable—like an array, a collection, or a custom class with public setters—its data can be freely altered, even through the `static final` field. To prevent this, developers must ensure true immutability. This involves either assigning the static final field to an inherently immutable object (like a `String` or a boxed primitive) or defensively wrapping mutable objects. For collections, use `Collections.unmodifiableList()`, `Map.copyOf()`, or similar methods to create an unmodifiable view or a deep copy before assignment. This practice encapsulates the mutable data and enforces the read-only intent of the public static field.
Common Consequences 1
Scope: Integrity

Impact: Modify Application Data
Detection Methods 1
Automated Static AnalysisHigh
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Potential Mitigations 1
Phase: Implementation
Protect mutable objects by making them private. Restrict access to the getter and setter as well.
Demonstrative Examples 1
Here, an array (which is inherently mutable) is labeled public static final.

Code Example:

Bad
Java
java
Applicable Platforms
Languages:
Java : Undetermined
Modes of Introduction
Implementation
Related Weaknesses
ChildOf: Modification of Assumed-Immutable Data (MAID) (CWE-471)
Taxonomy Mapping
  • Software Fault Patterns