CWE-454 Base Borrador

External Initialization of Trusted Variables or Data Stores

This vulnerability occurs when an application sets up its critical internal variables or storage systems using data from untrusted, external sources that an attacker could control.

Definición

What is CWE-454?

This vulnerability occurs when an application sets up its critical internal variables or storage systems using data from untrusted, external sources that an attacker could control.
A secure system should be cautious about trusting any data that originates from outside its own controlled environment. When core application variables or data stores—like configuration flags, security tokens, or internal state trackers—are populated with user-supplied or externally-provided values, attackers can feed them malicious data. This allows them to manipulate the application's logic from the very start, often leading to severe security breaches. In practice, this means developers must ensure that all trusted variables are initialized with hard-coded values, secure internal processes, or rigorously validated data. Relying on external inputs for initialization, even if those inputs are later checked, creates a dangerous window where the system's foundational state is compromised. Always establish critical internal state independently, before processing any untrusted data.
Impacto en el mundo real

Real-world CVEs caused by CWE-454

  • CVE-2022-43468

    WordPress module sets internal variables based on external inputs, allowing false reporting of the number of views

  • CVE-2000-0959

    Does not clear dangerous environment variables, enabling symlink attack.

  • CVE-2001-0033

    Specify alternate configuration directory in environment variable, enabling untrusted path.

  • CVE-2001-0872

    Dangerous environment variable not cleansed.

  • CVE-2001-0084

    Specify arbitrary modules using environment variable.

Cómo lo explotan los atacantes

Ruta del atacante paso a paso

  1. 1

    In the Java example below, a system property controls the debug level of the application.

  2. 2

    If an attacker is able to modify the system property, then it may be possible to coax the application into divulging sensitive information by virtue of the fact that additional debug information is printed/exposed as the debug level increases.

  3. 3

    This code checks the HTTP POST request for a debug switch, and enables a debug mode if the switch is set.

  4. 4

    Any user can activate the debug mode, gaining administrator privileges. An attacker may also use the information printed by the phpinfo() function to further exploit the system. .

  5. 5

    This example also exhibits Information Exposure Through Debug Information (CWE-215)

Ejemplo de código vulnerable

Vulnerable Java

In the Java example below, a system property controls the debug level of the application.

Vulnerable Java 
int debugLevel = Integer.getInteger("com.domain.application.debugLevel").intValue();
Ejemplo de código seguro

Secure pseudo

Seguro pseudo 
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de prevención

How to prevent CWE-454

  • Implementation A product system should be reluctant to trust variables that have been initialized outside of its trust boundary. Ensure adequate checking (e.g. input validation) is performed when relying on input from outside a trust boundary.
  • Architecture and Design Avoid any external control of variables. If necessary, restrict the variables that can be modified using an allowlist, and use a different namespace or naming convention if possible.
Señales de detección

How to detect CWE-454

SAST High

Ejecuta análisis estático (SAST) sobre el código buscando el patrón inseguro en el flujo de datos.

DAST Moderate

Ejecuta pruebas dinámicas de seguridad de aplicaciones (DAST) contra el endpoint en vivo.

Runtime Moderate

Vigila los logs en tiempo de ejecución para detectar trazas de excepción inusuales, entradas malformadas o intentos de bypass de autorización.

Code review Moderate

Revisión de código: marca cualquier código nuevo que maneje entrada desde esta superficie sin usar los helpers validados del framework.

Auto-corrección de Plexicus

Plexicus detecta automáticamente CWE-454 y abre un PR de corrección en menos de 60 segundos.

Codex Remedium escanea cada commit, identifica esta debilidad concreta y entrega un pull request listo para revisión con el parche. Sin tickets. Sin traspasos.

Solicitar demo Probar Plexicus gratis
Preguntas frecuentes

Frequently asked questions

¿Qué es CWE-454?

This vulnerability occurs when an application sets up its critical internal variables or storage systems using data from untrusted, external sources that an attacker could control.

¿Qué gravedad tiene CWE-454?

MITRE no ha publicado una calificación de probabilidad de explotación para esta debilidad. Trátala como de impacto medio hasta que tu modelo de amenazas demuestre lo contrario.

¿Qué lenguajes o plataformas se ven afectados por CWE-454?

MITRE lists the following affected platforms: PHP.

¿Cómo puedo prevenir CWE-454?

A product system should be reluctant to trust variables that have been initialized outside of its trust boundary. Ensure adequate checking (e.g. input validation) is performed when relying on input from outside a trust boundary. Avoid any external control of variables. If necessary, restrict the variables that can be modified using an allowlist, and use a different namespace or naming convention if possible.

¿Cómo detecta y corrige Plexicus CWE-454?

El motor SAST de Plexicus detecta la firma de flujo de datos para CWE-454 en cada commit. Cuando hay coincidencia, nuestro agente Codex Remedium abre un PR de corrección con el código corregido, las pruebas y un resumen de una línea para el revisor.

¿Dónde puedo aprender más sobre CWE-454?

MITRE publica la definición canónica en https://cwe.mitre.org/data/definitions/454.html. También puedes consultar la documentación de OWASP y NIST para guías relacionadas.

Debilidades relacionadas

Weaknesses related to CWE-454

CWE-1419 Padre

Incorrect Initialization of Resource

This weakness occurs when a system fails to properly set up a resource during its creation, leaving it in an unstable, incorrect, or…

CWE-1051 Hermano

Initialization with Hard-Coded Network Resource Configuration Data

This vulnerability occurs when software uses fixed, hard-coded values—like IP addresses, domain names, or URLs—to identify network…

CWE-1052 Hermano

Excessive Use of Hard-Coded Literals in Initialization

This weakness occurs when software initializes variables or data structures using hard-coded values (like strings, file paths, or network…

CWE-1188 Hermano

Initialization of a Resource with an Insecure Default

This vulnerability occurs when software uses an insecure default setting or value for a resource, assuming an administrator will change it…

CWE-1221 Hermano

Incorrect Register Defaults or Module Parameters

This vulnerability occurs when hardware description language (HDL) code sets insecure default values for hardware registers or…

CWE-456 Par

Missing Initialization of a Variable

This vulnerability occurs when a program uses a variable before giving it a starting value, causing the software to rely on unpredictable…

Recursos

Further reading

Listo cuando tú lo estés

Deja de pagar por desarrollador.
Empieza a cerrar el bucle.

Plexicus es el ASPM nativo de IA que escanea, filtra, corrige, pentestea y explica — de forma autónoma. Desarrolladores ilimitados, repos ilimitados, acciones de IA de uso justo. Nivel gratuito real, €269/mo anual cuando estés listo.

Comenzar gratis Reservar una demo