CWE-494 Base Borrador Medium likelihood

Download of Code Without Integrity Check

This vulnerability occurs when an application fetches and runs code from an external source—like a remote server or CDN—without properly verifying where it came from or ensuring it hasn't been…

Definición

What is CWE-494?

This vulnerability occurs when an application fetches and runs code from an external source—like a remote server or CDN—without properly verifying where it came from or ensuring it hasn't been tampered with.
Attackers exploit this weakness by hijacking the download process. They might compromise the server hosting the code, redirect your request via DNS spoofing, or alter the code as it travels over the network. Since the application blindly trusts and executes whatever it downloads, this allows the attacker to run their own malicious commands on your system. Detecting these insecure downloads manually across a large codebase is challenging. An ASPM platform like Plexicus can automatically identify these patterns via SAST/DAST scanning and, using AI, provide specific remediation guidance—such as implementing digital signatures or checksum verification—to fix the flaw efficiently.
Impacto en el mundo real

Real-world CVEs caused by CWE-494

  • CVE-2019-9534

    Satellite phone does not validate its firmware image.

  • CVE-2021-22909

    Chain: router's firmware update procedure uses curl with "-k" (insecure) option that disables certificate validation (CWE-295), allowing adversary-in-the-middle (AITM) compromise with a malicious firmware image (CWE-494).

  • CVE-2008-3438

    OS does not verify authenticity of its own updates.

  • CVE-2008-3324

    online poker client does not verify authenticity of its own updates.

  • CVE-2001-1125

    anti-virus product does not verify automatic updates for itself.

  • CVE-2002-0671

    VOIP phone downloads applications from web sites without verifying integrity.

Cómo lo explotan los atacantes

Ruta del atacante paso a paso

  1. 1

    This example loads an external class from a local subdirectory.

  2. 2

    This code does not ensure that the class loaded is the intended one, for example by verifying the class's checksum. An attacker may be able to modify the class file to execute malicious code.

  3. 3

    This code includes an external script to get database credentials, then authenticates a user against the database, allowing access to the application.

  4. 4

    This code does not verify that the external domain accessed is the intended one. An attacker may somehow cause the external domain name to resolve to an attack server, which would provide the information for a false database. The attacker may then steal the usernames and encrypted passwords from real user login attempts, or simply allow themself to access the application without a real user account.

  5. 5

    This example is also vulnerable to an Adversary-in-the-Middle AITM (CWE-300) attack.

Ejemplo de código vulnerable

Vulnerable Java

This example loads an external class from a local subdirectory.

Vulnerable Java 
URL[] classURLs= new URL[]{
  	new URL("file:subdir/")
  };
  URLClassLoader loader = new URLClassLoader(classURLs);
  Class loadedClass = Class.forName("loadMe", true, loader);
Ejemplo de código seguro

Secure pseudo

Seguro pseudo 
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de prevención

How to prevent CWE-494

  • Implementation Perform proper forward and reverse DNS lookups to detect DNS spoofing.
  • Architecture and Design / Operation Encrypt the code with a reliable encryption scheme before transmitting. This will only be a partial solution, since it will not detect DNS spoofing and it will not prevent your code from being modified on the hosting site.
  • Architecture and Design Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Speficially, it may be helpful to use tools or frameworks to perform integrity checking on the transmitted code. - When providing the code that is to be downloaded, such as for automatic updates of the software, then use cryptographic signatures for the code and modify the download clients to verify the signatures. Ensure that the implementation does not contain CWE-295, CWE-320, CWE-347, and related weaknesses. - Use code signing technologies such as Authenticode. See references [REF-454] [REF-455] [REF-456].
  • Architecture and Design / Operation Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
  • Architecture and Design / Operation Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.
Señales de detección

How to detect CWE-494

Manual Analysis

This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is typically required to find the behavior that triggers the download of code, and to determine whether integrity-checking methods are in use.

Black Box

Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and also sniff the network connection. Trigger features related to product updates or plugin installation, which is likely to force a code download. Monitor when files are downloaded and separately executed, or if they are otherwise read back into the process. Look for evidence of cryptographic library calls that use integrity checking.

Automated Static Analysis High

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Auto-corrección de Plexicus

Plexicus detecta automáticamente CWE-494 y abre un PR de corrección en menos de 60 segundos.

Codex Remedium escanea cada commit, identifica esta debilidad concreta y entrega un pull request listo para revisión con el parche. Sin tickets. Sin traspasos.

Solicitar demo Probar Plexicus gratis
Preguntas frecuentes

Frequently asked questions

¿Qué es CWE-494?

This vulnerability occurs when an application fetches and runs code from an external source—like a remote server or CDN—without properly verifying where it came from or ensuring it hasn't been tampered with.

¿Qué gravedad tiene CWE-494?

MITRE califica la probabilidad de explotación como Media — la explotación es realista pero suele requerir condiciones específicas.

¿Qué lenguajes o plataformas se ven afectados por CWE-494?

MITRE no ha especificado plataformas afectadas para esta CWE — puede aplicar a la mayoría de los stacks de aplicaciones.

¿Cómo puedo prevenir CWE-494?

Perform proper forward and reverse DNS lookups to detect DNS spoofing. Encrypt the code with a reliable encryption scheme before transmitting. This will only be a partial solution, since it will not detect DNS spoofing and it will not prevent your code from being modified on the hosting site.

¿Cómo detecta y corrige Plexicus CWE-494?

El motor SAST de Plexicus detecta la firma de flujo de datos para CWE-494 en cada commit. Cuando hay coincidencia, nuestro agente Codex Remedium abre un PR de corrección con el código corregido, las pruebas y un resumen de una línea para el revisor.

¿Dónde puedo aprender más sobre CWE-494?

MITRE publica la definición canónica en https://cwe.mitre.org/data/definitions/494.html. También puedes consultar la documentación de OWASP y NIST para guías relacionadas.

Debilidades relacionadas

Weaknesses related to CWE-494

CWE-345 Padre

Insufficient Verification of Data Authenticity

This vulnerability occurs when an application fails to properly check where data comes from or confirm its legitimacy, allowing untrusted…

CWE-1293 Hermano

Missing Source Correlation of Multiple Independent Data

This vulnerability occurs when a system trusts a single source of data without verification, making it impossible to detect if that source…

CWE-346 Hermano

Origin Validation Error

This vulnerability occurs when an application fails to properly confirm the true origin of incoming data or communication, allowing…

CWE-347 Hermano

Improper Verification of Cryptographic Signature

This vulnerability occurs when an application fails to properly check the digital signature on data, or skips the verification step…

CWE-348 Hermano

Use of Less Trusted Source

This vulnerability occurs when a system has access to multiple sources for the same critical data, but it chooses to rely on the less…

CWE-349 Hermano

Acceptance of Extraneous Untrusted Data With Trusted Data

This vulnerability occurs when a system processes both trusted and untrusted data together, but fails to separate them. The application…

CWE-351 Hermano

Insufficient Type Distinction

This vulnerability occurs when an application fails to properly differentiate between different types of data or objects, leading to…

CWE-352 Hermano

Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) happens when a web application cannot reliably tell if a user actually intended to submit a request,…

CWE-353 Hermano

Missing Support for Integrity Check

This vulnerability occurs when a system uses a communication protocol that lacks built-in integrity verification, such as a checksum or…

Recursos

Further reading

Listo cuando tú lo estés

Deja de pagar por desarrollador.
Empieza a cerrar el bucle.

Plexicus es el ASPM nativo de IA que escanea, filtra, corrige, pentestea y explica — de forma autónoma. Desarrolladores ilimitados, repos ilimitados, acciones de IA de uso justo. Nivel gratuito real, €269/mo anual cuando estés listo.

Comenzar gratis Reservar una demo