Ejecuta análisis estático (SAST) sobre el código buscando el patrón inseguro en el flujo de datos.
CWE-909 Clase Incompleto
Missing Initialization of Resource
The software fails to properly set up a critical resource before using it.
Definición
What is CWE-909?
The software fails to properly set up a critical resource before using it.
Many system resources, like memory buffers, file handles, or configuration objects, need explicit setup before they're safe to use. When this initialization step is skipped, the resource may contain leftover data from previous operations, expired values, or system defaults that are invalid for your specific use case. This unpredictable state becomes a security problem when your code assumes the resource has specific, trustworthy properties.
From a developer's perspective, this often happens when you allocate a resource but don't populate it with known, safe values. Attackers can exploit this by manipulating or predicting the uninitialized content, leading to information leaks, crashes, or unexpected program behavior. Always explicitly initialize all resources to a known, secure state, even if you think the system or compiler will do it for you.
Impacto en el mundo real
Real-world CVEs caused by CWE-909
-
A variable that has its value set in a conditional statement is sometimes used when the conditional fails, sometimes causing data leakage
-
Chain: Bypass of access restrictions due to improper authorization (CWE-862) of a user results from an improperly initialized (CWE-909) I/O permission bitmap
Cómo lo explotan los atacantes
Ruta del atacante paso a paso
- 1
Here, a boolean initiailized field is consulted to ensure that initialization tasks are only completed once. However, the field is mistakenly set to true during static initialization, so the initialization code is never reached.
- 2
The following code intends to limit certain operations to the administrator only.
- 3
If the application is unable to extract the state information - say, due to a database timeout - then the $uid variable will not be explicitly set by the programmer. This will cause $uid to be regarded as equivalent to "0" in the conditional, allowing the original user to perform administrator actions. Even if the attacker cannot directly influence the state data, unexpected errors could cause incorrect privileges to be assigned to a user just by accident.
- 4
The following code intends to concatenate a string to a variable and print the string.
- 5
This might seem innocent enough, but str was not initialized, so it contains random memory. As a result, str[0] might not contain the null terminator, so the copy might start at an offset other than 0. The consequences can vary, depending on the underlying memory.
Ejemplo de código vulnerable
Vulnerable Java
Here, a boolean initiailized field is consulted to ensure that initialization tasks are only completed once. However, the field is mistakenly set to true during static initialization, so the initialization code is never reached.
private boolean initialized = true;
public void someMethod() {
if (!initialized) {
```
// perform initialization tasks*
...
initialized = true;} Ejemplo de código seguro
Secure C
When the printf() is reached, test_string might be an unexpected address, so the printf might print junk strings (CWE-457). To fix this code, there are a couple approaches to making sure that test_string has been properly set once it reaches the printf(). One solution would be to set test_string to an acceptable default before the conditional:
char *test_string = "Done at the beginning";
if (i != err_val)
{
```
test_string = "Hello World!";
}
printf("%s", test_string); What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de prevención
How to prevent CWE-909
- Implementation Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all specified steps.
- Implementation Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.
- Implementation Avoid race conditions (CWE-362) during initialization routines.
- Build and Compilation Run or compile your product with settings that generate warnings about uninitialized variables or data.
Señales de detección
How to detect CWE-909
Ejecuta pruebas dinámicas de seguridad de aplicaciones (DAST) contra el endpoint en vivo.
Vigila los logs en tiempo de ejecución para detectar trazas de excepción inusuales, entradas malformadas o intentos de bypass de autorización.
Revisión de código: marca cualquier código nuevo que maneje entrada desde esta superficie sin usar los helpers validados del framework.
Plexicus detecta automáticamente CWE-909 y abre un PR de corrección en menos de 60 segundos.
Codex Remedium escanea cada commit, identifica esta debilidad concreta y entrega un pull request listo para revisión con el parche. Sin tickets. Sin traspasos.
Preguntas frecuentes ¿Qué es CWE-909?
¿Qué gravedad tiene CWE-909?
¿Qué lenguajes o plataformas se ven afectados por CWE-909?
¿Cómo puedo prevenir CWE-909?
¿Cómo detecta y corrige Plexicus CWE-909?
¿Dónde puedo aprender más sobre CWE-909?
Frequently asked questions
¿Qué es CWE-909?
The software fails to properly set up a critical resource before using it.
¿Qué gravedad tiene CWE-909?
MITRE califica la probabilidad de explotación como Media — la explotación es realista pero suele requerir condiciones específicas.
¿Qué lenguajes o plataformas se ven afectados por CWE-909?
MITRE no ha especificado plataformas afectadas para esta CWE — puede aplicar a la mayoría de los stacks de aplicaciones.
¿Cómo puedo prevenir CWE-909?
Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all specified steps. Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.
¿Cómo detecta y corrige Plexicus CWE-909?
El motor SAST de Plexicus detecta la firma de flujo de datos para CWE-909 en cada commit. Cuando hay coincidencia, nuestro agente Codex Remedium abre un PR de corrección con el código corregido, las pruebas y un resumen de una línea para el revisor.
¿Dónde puedo aprender más sobre CWE-909?
MITRE publica la definición canónica en https://cwe.mitre.org/data/definitions/909.html. También puedes consultar la documentación de OWASP y NIST para guías relacionadas.
Debilidades relacionadas
Weaknesses related to CWE-909
CWE-665 Padre
Improper Initialization
This vulnerability occurs when software fails to properly set up a resource before use, or provides incorrect starting values, leaving it…
CWE-1188 Hermano
Initialization of a Resource with an Insecure Default
This vulnerability occurs when software uses an insecure default setting or value for a resource, assuming an administrator will change it…
CWE-1279 Hermano
Cryptographic Operations are run Before Supporting Units are Ready
This vulnerability occurs when cryptographic processes start before their required dependencies are properly initialized and ready to…
CWE-1419 Hermano
Incorrect Initialization of Resource
This weakness occurs when a system fails to properly set up a resource during its creation, leaving it in an unstable, incorrect, or…
CWE-1434 Hermano
Insecure Setting of Generative AI/ML Model Inference Parameters
This vulnerability occurs when a generative AI or ML model is deployed with inference parameters that are too permissive, causing it to…
CWE-455 Hermano
Non-exit on Failed Initialization
This vulnerability occurs when software continues to run as normal after encountering a critical security failure during its startup…
CWE-456 Hermano
Missing Initialization of a Variable
This vulnerability occurs when a program uses a variable before giving it a starting value, causing the software to rely on unpredictable…
CWE-457 Hermano
Use of Uninitialized Variable
This vulnerability occurs when a program accesses a variable before it has been assigned a value, leading to unpredictable behavior and…
CWE-770 Hermano
Allocation of Resources Without Limits or Throttling
This vulnerability occurs when a system allows users or processes to request resources without any built-in caps or rate limits. Think of…
Listo cuando tú lo estés
Deja de pagar por desarrollador.
Empieza a cerrar el bucle.
Plexicus es el ASPM nativo de IA que escanea, filtra, corrige, pentestea y explica — de forma autónoma. Desarrolladores ilimitados, repos ilimitados, acciones de IA de uso justo. Nivel gratuito real, €269/mo anual cuando estés listo.