CWE-242 Base Draft High likelihood

Use of Inherently Dangerous Function

This vulnerability occurs when code uses functions that are inherently unsafe and cannot be reliably secured, posing a direct risk to application stability and security.

Definition

What is CWE-242?

This vulnerability occurs when code uses functions that are inherently unsafe and cannot be reliably secured, posing a direct risk to application stability and security.
Some functions are dangerous by design because they were created without security in mind, such as failing to check boundaries on user input. A classic example is the `gets()` function, which reads input without any limit on its size, allowing an attacker to overflow the destination buffer and potentially execute arbitrary code. Similarly, using the `>>` operator to read into a fixed-size character array is risky for the same reason—it doesn't validate input length, leading to buffer overflows. To prevent these issues, developers should replace these inherently dangerous functions with secure alternatives. For instance, use `fgets()` instead of `gets()` and employ methods with explicit bounds checking, like `std::string` in C++ or `scanf()` with width specifiers. Always validate and limit all external input to ensure it fits within the allocated buffer size, eliminating the root cause of these exploitable overflows.
Auswirkungen in der Praxis

Real-world CVEs caused by CWE-242

  • CVE-2007-4004

    FTP client uses inherently insecure gets() function and is setuid root on some systems, allowing buffer overflow

Wie Angreifer es ausnutzen

Angreiferpfad Schritt für Schritt

  1. 1

    The code below calls gets() to read information into a buffer.

  2. 2

    The gets() function in C is inherently unsafe.

  3. 3

    The code below calls the gets() function to read in data from the command line.

  4. 4

    However, gets() is inherently unsafe, because it copies all input from STDIN to the buffer without checking size. This allows the user to provide a string that is larger than the buffer size, resulting in an overflow condition.

Verwundbares Codebeispiel

Vulnerable C

The code below calls gets() to read information into a buffer.

Verwundbar C 
char buf[BUFSIZE];
  gets(buf);
Sicheres Codebeispiel

Secure pseudo

Sicher pseudo 
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Präventions-Checkliste

How to prevent CWE-242

  • Implementation / Requirements Ban the use of dangerous functions. Use their safe equivalent.
  • Testing Use grep or static analysis tools to spot usage of dangerous functions.
Erkennungssignale

How to detect CWE-242

Automated Static Analysis High

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Plexicus Auto-Fix

Plexicus erkennt CWE-242 automatisch und öffnet in unter 60 Sekunden einen Fix-PR.

Codex Remedium scannt jeden Commit, identifiziert genau diese Schwachstelle und liefert einen reviewer-ready Pull Request mit dem Patch. Keine Tickets. Keine Hand-offs.

Demo anfordern Plexicus kostenlos testen
Häufig gestellte Fragen

Frequently asked questions

Was ist CWE-242?

This vulnerability occurs when code uses functions that are inherently unsafe and cannot be reliably secured, posing a direct risk to application stability and security.

Wie gravierend ist CWE-242?

MITRE stuft die Exploit-Wahrscheinlichkeit als hoch ein — diese Schwachstelle wird aktiv in freier Wildbahn ausgenutzt und sollte priorisiert behoben werden.

Welche Sprachen oder Plattformen sind von CWE-242 betroffen?

MITRE lists the following affected platforms: C, C++.

Wie kann ich CWE-242 verhindern?

Ban the use of dangerous functions. Use their safe equivalent. Use grep or static analysis tools to spot usage of dangerous functions.

Wie erkennt und behebt Plexicus CWE-242?

Die SAST-Engine von Plexicus erkennt die Datenfluss-Signatur von CWE-242 bei jedem Commit. Bei einem Treffer öffnet unser Codex-Remedium-Agent einen Fix-PR mit korrigiertem Code, Tests und einer einzeiligen Zusammenfassung für den Reviewer.

Wo erfahre ich mehr über CWE-242?

MITRE veröffentlicht die kanonische Definition unter https://cwe.mitre.org/data/definitions/242.html. Für ergänzende Hinweise kannst du auch die OWASP- und NIST-Dokumentation heranziehen.

Verwandte Schwachstellen

Weaknesses related to CWE-242

CWE-1177 Parent

Use of Prohibited Code

This vulnerability occurs when software incorporates a function, library, or third-party component that has been explicitly banned by the…

CWE-676 Sibling

Use of Potentially Dangerous Function

This vulnerability occurs when code calls a function that can be dangerous if misused, but can also be used safely with proper…

Ressourcen

Further reading

Bereit, wenn du es bist

Schluss mit dem Bezahlen pro Entwickler.
Schließ den Kreislauf.

Plexicus ist die KI-native ASPM, die scannt, filtert, fixt, pentestet und erklärt — autonom. Unbegrenzte Entwickler, unbegrenzte Repos, Fair-Use-KI-Aktionen. Echter kostenloser Tarif, €269/mo jährlich, wenn du bereit bist.

Kostenlos starten Demo buchen