Führe statische Analyse (SAST) auf der Codebasis aus und suche im Datenfluss nach dem unsicheren Muster.
CWE-909 Class Incomplete
Missing Initialization of Resource
The software fails to properly set up a critical resource before using it.
Definition
What is CWE-909?
The software fails to properly set up a critical resource before using it.
Many system resources, like memory buffers, file handles, or configuration objects, need explicit setup before they're safe to use. When this initialization step is skipped, the resource may contain leftover data from previous operations, expired values, or system defaults that are invalid for your specific use case. This unpredictable state becomes a security problem when your code assumes the resource has specific, trustworthy properties.
From a developer's perspective, this often happens when you allocate a resource but don't populate it with known, safe values. Attackers can exploit this by manipulating or predicting the uninitialized content, leading to information leaks, crashes, or unexpected program behavior. Always explicitly initialize all resources to a known, secure state, even if you think the system or compiler will do it for you.
Auswirkungen in der Praxis
Real-world CVEs caused by CWE-909
-
A variable that has its value set in a conditional statement is sometimes used when the conditional fails, sometimes causing data leakage
-
Chain: Bypass of access restrictions due to improper authorization (CWE-862) of a user results from an improperly initialized (CWE-909) I/O permission bitmap
Wie Angreifer es ausnutzen
Angreiferpfad Schritt für Schritt
- 1
Here, a boolean initiailized field is consulted to ensure that initialization tasks are only completed once. However, the field is mistakenly set to true during static initialization, so the initialization code is never reached.
- 2
The following code intends to limit certain operations to the administrator only.
- 3
If the application is unable to extract the state information - say, due to a database timeout - then the $uid variable will not be explicitly set by the programmer. This will cause $uid to be regarded as equivalent to "0" in the conditional, allowing the original user to perform administrator actions. Even if the attacker cannot directly influence the state data, unexpected errors could cause incorrect privileges to be assigned to a user just by accident.
- 4
The following code intends to concatenate a string to a variable and print the string.
- 5
This might seem innocent enough, but str was not initialized, so it contains random memory. As a result, str[0] might not contain the null terminator, so the copy might start at an offset other than 0. The consequences can vary, depending on the underlying memory.
Verwundbares Codebeispiel
Vulnerable Java
Here, a boolean initiailized field is consulted to ensure that initialization tasks are only completed once. However, the field is mistakenly set to true during static initialization, so the initialization code is never reached.
private boolean initialized = true;
public void someMethod() {
if (!initialized) {
```
// perform initialization tasks*
...
initialized = true;} Sicheres Codebeispiel
Secure C
When the printf() is reached, test_string might be an unexpected address, so the printf might print junk strings (CWE-457). To fix this code, there are a couple approaches to making sure that test_string has been properly set once it reaches the printf(). One solution would be to set test_string to an acceptable default before the conditional:
char *test_string = "Done at the beginning";
if (i != err_val)
{
```
test_string = "Hello World!";
}
printf("%s", test_string); What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Präventions-Checkliste
How to prevent CWE-909
- Implementation Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all specified steps.
- Implementation Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.
- Implementation Avoid race conditions (CWE-362) during initialization routines.
- Build and Compilation Run or compile your product with settings that generate warnings about uninitialized variables or data.
Erkennungssignale
How to detect CWE-909
Führe dynamische Application-Security-Tests gegen den Live-Endpoint aus.
Beobachte Runtime-Logs auf ungewöhnliche Exception-Traces, fehlerhafte Eingaben oder Versuche, Autorisierung zu umgehen.
Code Review: Markiere jeden neuen Code, der Eingaben von dieser Oberfläche ohne validierte Framework-Helper verarbeitet.
Plexicus erkennt CWE-909 automatisch und öffnet in unter 60 Sekunden einen Fix-PR.
Codex Remedium scannt jeden Commit, identifiziert genau diese Schwachstelle und liefert einen reviewer-ready Pull Request mit dem Patch. Keine Tickets. Keine Hand-offs.
Häufig gestellte Fragen Was ist CWE-909?
Wie gravierend ist CWE-909?
Welche Sprachen oder Plattformen sind von CWE-909 betroffen?
Wie kann ich CWE-909 verhindern?
Wie erkennt und behebt Plexicus CWE-909?
Wo erfahre ich mehr über CWE-909?
Frequently asked questions
Was ist CWE-909?
The software fails to properly set up a critical resource before using it.
Wie gravierend ist CWE-909?
MITRE stuft die Exploit-Wahrscheinlichkeit als mittel ein — eine Ausnutzung ist realistisch, erfordert aber meist bestimmte Bedingungen.
Welche Sprachen oder Plattformen sind von CWE-909 betroffen?
MITRE hat für diese CWE keine betroffenen Plattformen spezifiziert — sie kann in den meisten Anwendungs-Stacks auftreten.
Wie kann ich CWE-909 verhindern?
Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all specified steps. Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.
Wie erkennt und behebt Plexicus CWE-909?
Die SAST-Engine von Plexicus erkennt die Datenfluss-Signatur von CWE-909 bei jedem Commit. Bei einem Treffer öffnet unser Codex-Remedium-Agent einen Fix-PR mit korrigiertem Code, Tests und einer einzeiligen Zusammenfassung für den Reviewer.
Wo erfahre ich mehr über CWE-909?
MITRE veröffentlicht die kanonische Definition unter https://cwe.mitre.org/data/definitions/909.html. Für ergänzende Hinweise kannst du auch die OWASP- und NIST-Dokumentation heranziehen.
Verwandte Schwachstellen
Weaknesses related to CWE-909
CWE-665 Parent
Improper Initialization
This vulnerability occurs when software fails to properly set up a resource before use, or provides incorrect starting values, leaving it…
CWE-1188 Sibling
Initialization of a Resource with an Insecure Default
This vulnerability occurs when software uses an insecure default setting or value for a resource, assuming an administrator will change it…
CWE-1279 Sibling
Cryptographic Operations are run Before Supporting Units are Ready
This vulnerability occurs when cryptographic processes start before their required dependencies are properly initialized and ready to…
CWE-1419 Sibling
Incorrect Initialization of Resource
This weakness occurs when a system fails to properly set up a resource during its creation, leaving it in an unstable, incorrect, or…
CWE-1434 Sibling
Insecure Setting of Generative AI/ML Model Inference Parameters
This vulnerability occurs when a generative AI or ML model is deployed with inference parameters that are too permissive, causing it to…
CWE-455 Sibling
Non-exit on Failed Initialization
This vulnerability occurs when software continues to run as normal after encountering a critical security failure during its startup…
CWE-456 Sibling
Missing Initialization of a Variable
This vulnerability occurs when a program uses a variable before giving it a starting value, causing the software to rely on unpredictable…
CWE-457 Sibling
Use of Uninitialized Variable
This vulnerability occurs when a program accesses a variable before it has been assigned a value, leading to unpredictable behavior and…
CWE-770 Sibling
Allocation of Resources Without Limits or Throttling
This vulnerability occurs when a system allows users or processes to request resources without any built-in caps or rate limits. Think of…
Ressourcen
Further reading
Bereit, wenn du es bist
Schluss mit dem Bezahlen pro Entwickler.
Schließ den Kreislauf.
Plexicus ist die KI-native ASPM, die scannt, filtert, fixt, pentestet und erklärt — autonom. Unbegrenzte Entwickler, unbegrenzte Repos, Fair-Use-KI-Aktionen. Echter kostenloser Tarif, €269/mo jährlich, wenn du bereit bist.