Führe statische Analyse (SAST) auf der Codebasis aus und suche im Datenfluss nach dem unsicheren Muster.
CWE-1325 Base Incomplete
Improperly Controlled Sequential Memory Allocation
This vulnerability occurs when a system allocates memory separately for each item in a collection but fails to enforce a global limit on the total memory used by all items combined.
Definition
What is CWE-1325?
This vulnerability occurs when a system allocates memory separately for each item in a collection but fails to enforce a global limit on the total memory used by all items combined.
While a developer might cap the memory for a single allocation—like setting a maximum size for one array—an attacker can bypass this by forcing the system to create many such objects in sequence. Each individual allocation stays within its allowed limit, but the cumulative memory consumption across all objects can exhaust available resources, causing a system slowdown or crash.
This is a common oversight in systems that handle dynamic collections, such as connection pools, session managers, or request queues. To prevent it, developers must implement a two-tier check: one for per-object allocation and another for the aggregate memory footprint of the entire collection, ensuring the system can't be tricked into a denial of service through repeated small allocations.
Auswirkungen in der Praxis
Real-world CVEs caused by CWE-1325
-
JavaScript-based packet decoder uses concatenation of many small strings, causing out-of-memory (OOM) condition
-
Product allocates a new buffer on the stack for each file in a directory, allowing stack exhaustion
-
Chain: an integer overflow (CWE-190) in the image size calculation causes an infinite loop (CWE-835) which sequentially allocates buffers without limits (CWE-1325) until the stack is full.
Wie Angreifer es ausnutzen
Angreiferpfad Schritt für Schritt
- 1
Identifiziere einen Codepfad, der nicht vertrauenswürdige Eingaben ohne Validierung verarbeitet.
- 2
Erzeuge eine Payload, die das unsichere Verhalten auslöst — Injection, Traversal, Overflow oder Logik-Missbrauch.
- 3
Liefere die Payload über einen normalen Request aus und beobachte die Reaktion der Anwendung.
- 4
Iteriere, bis die Antwort Daten preisgibt, Angreifer-Code ausführt oder Berechtigungen eskaliert.
Verwundbares Codebeispiel
Vulnerable C
This example contains a small allocation of stack memory. When the program was first constructed, the number of times this memory was allocated was probably inconsequential and presented no problem. Over time, as the number of objects in the database grow, the number of allocations will grow - eventually consuming the available stack, i.e. "stack exhaustion." An attacker who is able to add elements to the database could cause stack exhaustion more rapidly than assumed by the developer.
```
// Gets the size from the number of objects in a database, which over time can conceivably get very large*
int end_limit = get_nmbr_obj_from_db();
int i;
int *base = NULL;
int *p =base;
for (i = 0; i < end_limit; i++)
{
```
*p = alloca(sizeof(int *));
```
// Allocate memory on the stack*
p = *p;
*// // Point to the next location to be saved*
} Sicheres Codebeispiel
Secure pseudo
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
const safe = validateAndEscape(input);
return executeWithGuards(safe);
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Präventions-Checkliste
How to prevent CWE-1325
- Implementation Ensure multiple allocations of the same kind of object are properly tracked - possibly across multiple sessions, requests, or messages. Define an appropriate strategy for handling requests that exceed the limit, and consider supporting a configuration option so that the administrator can extend the amount of memory to be used if necessary.
- Operation Run the program using system-provided resource limits for memory. This might still cause the program to crash or exit, but the impact to the rest of the system will be minimized.
Erkennungssignale
How to detect CWE-1325
Führe dynamische Application-Security-Tests gegen den Live-Endpoint aus.
Beobachte Runtime-Logs auf ungewöhnliche Exception-Traces, fehlerhafte Eingaben oder Versuche, Autorisierung zu umgehen.
Code Review: Markiere jeden neuen Code, der Eingaben von dieser Oberfläche ohne validierte Framework-Helper verarbeitet.
Plexicus erkennt CWE-1325 automatisch und öffnet in unter 60 Sekunden einen Fix-PR.
Codex Remedium scannt jeden Commit, identifiziert genau diese Schwachstelle und liefert einen reviewer-ready Pull Request mit dem Patch. Keine Tickets. Keine Hand-offs.
Häufig gestellte Fragen Was ist CWE-1325?
Wie gravierend ist CWE-1325?
Welche Sprachen oder Plattformen sind von CWE-1325 betroffen?
Wie kann ich CWE-1325 verhindern?
Wie erkennt und behebt Plexicus CWE-1325?
Wo erfahre ich mehr über CWE-1325?
Frequently asked questions
Was ist CWE-1325?
This vulnerability occurs when a system allocates memory separately for each item in a collection but fails to enforce a global limit on the total memory used by all items combined.
Wie gravierend ist CWE-1325?
MITRE hat für diese Schwachstelle keine Exploit-Wahrscheinlichkeit veröffentlicht. Behandle sie als mittlere Auswirkung, bis dein Threat Model anderes belegt.
Welche Sprachen oder Plattformen sind von CWE-1325 betroffen?
MITRE lists the following affected platforms: C, C++.
Wie kann ich CWE-1325 verhindern?
Ensure multiple allocations of the same kind of object are properly tracked - possibly across multiple sessions, requests, or messages. Define an appropriate strategy for handling requests that exceed the limit, and consider supporting a configuration option so that the administrator can extend the amount of memory to be used if necessary. Run the program using system-provided resource limits for memory. This might still cause the program to crash or exit, but the impact to the rest of the…
Wie erkennt und behebt Plexicus CWE-1325?
Die SAST-Engine von Plexicus erkennt die Datenfluss-Signatur von CWE-1325 bei jedem Commit. Bei einem Treffer öffnet unser Codex-Remedium-Agent einen Fix-PR mit korrigiertem Code, Tests und einer einzeiligen Zusammenfassung für den Reviewer.
Wo erfahre ich mehr über CWE-1325?
MITRE veröffentlicht die kanonische Definition unter https://cwe.mitre.org/data/definitions/1325.html. Für ergänzende Hinweise kannst du auch die OWASP- und NIST-Dokumentation heranziehen.
Verwandte Schwachstellen
Weaknesses related to CWE-1325
CWE-770 Parent
Allocation of Resources Without Limits or Throttling
This vulnerability occurs when a system allows users or processes to request resources without any built-in caps or rate limits. Think of…
CWE-774 Sibling
Allocation of File Descriptors or Handles Without Limits or Throttling
This vulnerability occurs when an application creates file descriptors or handles for a user or process without enforcing any limits on…
CWE-789 Sibling
Memory Allocation with Excessive Size Value
This vulnerability occurs when a program allocates memory based on a user-supplied or untrusted size value without proper validation. If…
CWE-476 Kann vorausgehen
NULL Pointer Dereference
This vulnerability occurs when a program attempts to access or manipulate memory using a pointer that is set to NULL, causing a crash or…
Ressourcen
Further reading
Bereit, wenn du es bist
Schluss mit dem Bezahlen pro Entwickler.
Schließ den Kreislauf.
Plexicus ist die KI-native ASPM, die scannt, filtert, fixt, pentestet und erklärt — autonom. Unbegrenzte Entwickler, unbegrenzte Repos, Fair-Use-KI-Aktionen. Echter kostenloser Tarif, €269/mo jährlich, wenn du bereit bist.