CWE-941 Base Incompleto

Incorrectly Specified Destination in a Communication Channel

This vulnerability occurs when an application establishes an outgoing communication channel but fails to correctly define or enforce the intended recipient. This misdirection can allow data to be…

Definición

What is CWE-941?

This vulnerability occurs when an application establishes an outgoing communication channel but fails to correctly define or enforce the intended recipient. This misdirection can allow data to be sent to an untrusted or malicious destination.
Attackers can exploit this flaw in two primary ways. First, if they can directly control the destination specification—such as in Server-Side Request Forgery (SSRF) or by spoofing UDP packets—they can redirect traffic to systems they control. This is often used to bypass firewalls, mask attack origins, or launch denial-of-service attacks. Second, the flaw can stem from the application itself incorrectly specifying the target due to misconfiguration, faulty parsing (like of email addresses or IPs), or insecure mechanisms like Android's sticky broadcasts. This unintentional misdirection can allow a malicious actor to intercept sensitive data meant for a trusted service, effectively spoofing it.
Impacto en el mundo real

Real-world CVEs caused by CWE-941

  • CVE-2013-5211

    composite: NTP feature generates large responses (high amplification factor) with spoofed UDP source addresses.

  • CVE-1999-0513

    Classic "Smurf" attack, using spoofed ICMP packets to broadcast addresses.

  • CVE-1999-1379

    DNS query with spoofed source address causes more traffic to be returned to spoofed address than was sent by the attacker.

Cómo lo explotan los atacantes

Ruta del atacante paso a paso

  1. 1

    Identifica una ruta de código que maneje entrada no confiable sin validación.

  2. 2

    Crea un payload que ejercite el comportamiento inseguro — inyección, traversal, overflow o abuso de lógica.

  3. 3

    Envía el payload a través de una solicitud normal y observa la reacción de la aplicación.

  4. 4

    Itera hasta que la respuesta filtre datos, ejecute código del atacante o escale privilegios.

Ejemplo de código vulnerable

Vulnerable Python

This code listens on a port for DNS requests and sends the result to the requesting address.

Vulnerable Python 
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
  sock.bind( (UDP_IP,UDP_PORT) )
  while true:
  		data = sock.recvfrom(1024)
  		if not data:
  			break
  		(requestIP, nameToResolve) = parseUDPpacket(data)
  		record = resolveName(nameToResolve)
  		sendResponse(requestIP,record)
Ejemplo de código seguro

Secure pseudo

Seguro pseudo 
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de prevención

How to prevent CWE-941

  • Architecture Use safe-by-default frameworks and APIs that prevent the unsafe pattern from being expressible.
  • Implementation Validate input at trust boundaries; use allowlists, not denylists.
  • Implementation Apply the principle of least privilege to credentials, file paths, and runtime permissions.
  • Testing Cover this weakness in CI: SAST rules + targeted unit tests for the data flow.
  • Operation Monitor logs for the runtime signals listed in the next section.
Señales de detección

How to detect CWE-941

SAST High

Ejecuta análisis estático (SAST) sobre el código buscando el patrón inseguro en el flujo de datos.

DAST Moderate

Ejecuta pruebas dinámicas de seguridad de aplicaciones (DAST) contra el endpoint en vivo.

Runtime Moderate

Vigila los logs en tiempo de ejecución para detectar trazas de excepción inusuales, entradas malformadas o intentos de bypass de autorización.

Code review Moderate

Revisión de código: marca cualquier código nuevo que maneje entrada desde esta superficie sin usar los helpers validados del framework.

Auto-corrección de Plexicus

Plexicus detecta automáticamente CWE-941 y abre un PR de corrección en menos de 60 segundos.

Codex Remedium escanea cada commit, identifica esta debilidad concreta y entrega un pull request listo para revisión con el parche. Sin tickets. Sin traspasos.

Solicitar demo Probar Plexicus gratis
Preguntas frecuentes

Frequently asked questions

¿Qué es CWE-941?

This vulnerability occurs when an application establishes an outgoing communication channel but fails to correctly define or enforce the intended recipient. This misdirection can allow data to be sent to an untrusted or malicious destination.

¿Qué gravedad tiene CWE-941?

MITRE no ha publicado una calificación de probabilidad de explotación para esta debilidad. Trátala como de impacto medio hasta que tu modelo de amenazas demuestre lo contrario.

¿Qué lenguajes o plataformas se ven afectados por CWE-941?

MITRE lists the following affected platforms: Mobile.

¿Cómo puedo prevenir CWE-941?

Use safe-by-default frameworks, validate untrusted input at trust boundaries, and apply the principle of least privilege. Cover the data-flow signature in CI with SAST.

¿Cómo detecta y corrige Plexicus CWE-941?

El motor SAST de Plexicus detecta la firma de flujo de datos para CWE-941 en cada commit. Cuando hay coincidencia, nuestro agente Codex Remedium abre un PR de corrección con el código corregido, las pruebas y un resumen de una línea para el revisor.

¿Dónde puedo aprender más sobre CWE-941?

MITRE publica la definición canónica en https://cwe.mitre.org/data/definitions/941.html. También puedes consultar la documentación de OWASP y NIST para guías relacionadas.

Debilidades relacionadas

Weaknesses related to CWE-941

CWE-923 Padre

Improper Restriction of Communication Channel to Intended Endpoints

This vulnerability occurs when a system opens a communication channel for a sensitive task but fails to properly verify that it's actually…

CWE-1275 Hermano

Sensitive Cookie with Improper SameSite Attribute

This vulnerability occurs when a sensitive cookie does not have a secure SameSite attribute configured, leaving it exposed to cross-site…

CWE-291 Hermano

Reliance on IP Address for Authentication

This vulnerability occurs when a system uses a client's IP address as the sole or primary method to verify their identity.

CWE-297 Hermano

Improper Validation of Certificate with Host Mismatch

This vulnerability occurs when an application accepts a valid SSL/TLS certificate without properly verifying that it actually belongs to…

CWE-300 Hermano

Channel Accessible by Non-Endpoint

This vulnerability occurs when a system fails to properly verify who is on the other end of a communication link or to secure the channel…

CWE-419 Hermano

Unprotected Primary Channel

This vulnerability occurs when an application exposes a privileged administrative interface or restricted functionality through a primary…

CWE-420 Hermano

Unprotected Alternate Channel

This vulnerability occurs when an application secures its main communication path but leaves a backup or alternative channel with weaker…

CWE-940 Hermano

Improper Verification of Source of a Communication Channel

This vulnerability occurs when an application accepts incoming communication requests without properly checking where they originate from,…

CWE-942 Hermano

Permissive Cross-domain Security Policy with Untrusted Domains

This vulnerability occurs when a web application's cross-domain security policy, like a Content Security Policy (CSP), explicitly allows…

Recursos

Further reading

Listo cuando tú lo estés

Deja de pagar por desarrollador.
Empieza a cerrar el bucle.

Plexicus es el ASPM nativo de IA que escanea, filtra, corrige, pentestea y explica — de forma autónoma. Desarrolladores ilimitados, repos ilimitados, acciones de IA de uso justo. Nivel gratuito real, €269/mo anual cuando estés listo.

Comenzar gratis Reservar una demo