Exécuter une analyse statique (SAST) sur le code source à la recherche du motif non sécurisé dans le flux de données.
CWE-909 Classe Incomplet
Missing Initialization of Resource
The software fails to properly set up a critical resource before using it.
Définition
What is CWE-909?
The software fails to properly set up a critical resource before using it.
Many system resources, like memory buffers, file handles, or configuration objects, need explicit setup before they're safe to use. When this initialization step is skipped, the resource may contain leftover data from previous operations, expired values, or system defaults that are invalid for your specific use case. This unpredictable state becomes a security problem when your code assumes the resource has specific, trustworthy properties.
From a developer's perspective, this often happens when you allocate a resource but don't populate it with known, safe values. Attackers can exploit this by manipulating or predicting the uninitialized content, leading to information leaks, crashes, or unexpected program behavior. Always explicitly initialize all resources to a known, secure state, even if you think the system or compiler will do it for you.
Impact réel
Real-world CVEs caused by CWE-909
-
A variable that has its value set in a conditional statement is sometimes used when the conditional fails, sometimes causing data leakage
-
Chain: Bypass of access restrictions due to improper authorization (CWE-862) of a user results from an improperly initialized (CWE-909) I/O permission bitmap
Comment les attaquants l'exploitent
Parcours de l'attaquant étape par étape
- 1
Here, a boolean initiailized field is consulted to ensure that initialization tasks are only completed once. However, the field is mistakenly set to true during static initialization, so the initialization code is never reached.
- 2
The following code intends to limit certain operations to the administrator only.
- 3
If the application is unable to extract the state information - say, due to a database timeout - then the $uid variable will not be explicitly set by the programmer. This will cause $uid to be regarded as equivalent to "0" in the conditional, allowing the original user to perform administrator actions. Even if the attacker cannot directly influence the state data, unexpected errors could cause incorrect privileges to be assigned to a user just by accident.
- 4
The following code intends to concatenate a string to a variable and print the string.
- 5
This might seem innocent enough, but str was not initialized, so it contains random memory. As a result, str[0] might not contain the null terminator, so the copy might start at an offset other than 0. The consequences can vary, depending on the underlying memory.
Exemple de code vulnérable
Vulnerable Java
Here, a boolean initiailized field is consulted to ensure that initialization tasks are only completed once. However, the field is mistakenly set to true during static initialization, so the initialization code is never reached.
private boolean initialized = true;
public void someMethod() {
if (!initialized) {
```
// perform initialization tasks*
...
initialized = true;} Exemple de code sécurisé
Secure C
When the printf() is reached, test_string might be an unexpected address, so the printf might print junk strings (CWE-457). To fix this code, there are a couple approaches to making sure that test_string has been properly set once it reaches the printf(). One solution would be to set test_string to an acceptable default before the conditional:
char *test_string = "Done at the beginning";
if (i != err_val)
{
```
test_string = "Hello World!";
}
printf("%s", test_string); What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Liste de contrôle de prévention
How to prevent CWE-909
- Implementation Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all specified steps.
- Implementation Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.
- Implementation Avoid race conditions (CWE-362) during initialization routines.
- Build and Compilation Run or compile your product with settings that generate warnings about uninitialized variables or data.
Signaux de détection
How to detect CWE-909
Exécuter des tests de sécurité applicative dynamique (DAST) contre le point de terminaison en ligne.
Surveiller les journaux runtime pour détecter des traces d'exception inhabituelles, des entrées malformées ou des tentatives de contournement d'autorisation.
Revue de code : signaler tout nouveau code qui traite les entrées de cette surface sans utiliser les helpers du framework validés.
Plexicus détecte automatiquement CWE-909 et ouvre une PR de correction en moins de 60 secondes.
Codex Remedium analyse chaque commit, identifie cette faiblesse précise et livre une pull request prête à être relue avec le correctif. Pas de tickets. Pas de transferts.
Questions fréquentes Qu'est-ce que CWE-909 ?
Quelle est la gravité de CWE-909 ?
Quels langages ou plateformes sont affectés par CWE-909 ?
Comment puis-je prévenir CWE-909 ?
Comment Plexicus détecte et corrige CWE-909 ?
Où puis-je en savoir plus sur CWE-909 ?
Frequently asked questions
Qu'est-ce que CWE-909 ?
The software fails to properly set up a critical resource before using it.
Quelle est la gravité de CWE-909 ?
MITRE évalue la probabilité d'exploitation comme Moyenne — l'exploitation est réaliste mais nécessite généralement des conditions spécifiques.
Quels langages ou plateformes sont affectés par CWE-909 ?
MITRE n'a pas spécifié les plateformes affectées pour ce CWE — il peut s'appliquer à la plupart des stacks applicatives.
Comment puis-je prévenir CWE-909 ?
Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all specified steps. Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.
Comment Plexicus détecte et corrige CWE-909 ?
Le moteur SAST de Plexicus reconnaît la signature de flux de données de CWE-909 à chaque commit. Lorsqu'une correspondance est trouvée, notre agent Codex Remedium ouvre une PR de correction avec le code corrigé, les tests et un résumé d'une ligne pour le relecteur.
Où puis-je en savoir plus sur CWE-909 ?
MITRE publie la définition canonique à https://cwe.mitre.org/data/definitions/909.html. Vous pouvez également consulter la documentation OWASP et NIST pour des conseils adjacents.
Faiblesses associées
Weaknesses related to CWE-909
CWE-665 Parent
Improper Initialization
This vulnerability occurs when software fails to properly set up a resource before use, or provides incorrect starting values, leaving it…
CWE-1188 Frère
Initialization of a Resource with an Insecure Default
This vulnerability occurs when software uses an insecure default setting or value for a resource, assuming an administrator will change it…
CWE-1279 Frère
Cryptographic Operations are run Before Supporting Units are Ready
This vulnerability occurs when cryptographic processes start before their required dependencies are properly initialized and ready to…
CWE-1419 Frère
Incorrect Initialization of Resource
This weakness occurs when a system fails to properly set up a resource during its creation, leaving it in an unstable, incorrect, or…
CWE-1434 Frère
Insecure Setting of Generative AI/ML Model Inference Parameters
This vulnerability occurs when a generative AI or ML model is deployed with inference parameters that are too permissive, causing it to…
CWE-455 Frère
Non-exit on Failed Initialization
This vulnerability occurs when software continues to run as normal after encountering a critical security failure during its startup…
CWE-456 Frère
Missing Initialization of a Variable
This vulnerability occurs when a program uses a variable before giving it a starting value, causing the software to rely on unpredictable…
CWE-457 Frère
Use of Uninitialized Variable
This vulnerability occurs when a program accesses a variable before it has been assigned a value, leading to unpredictable behavior and…
CWE-770 Frère
Allocation of Resources Without Limits or Throttling
This vulnerability occurs when a system allows users or processes to request resources without any built-in caps or rate limits. Think of…
Prêt quand vous l'êtes
Arrêtez de payer par développeur.
Commencez à fermer la boucle.
Plexicus est l'ASPM natif IA qui scanne, filtre, corrige, penteste et explique — de façon autonome. Développeurs illimités, dépôts illimités, actions IA à usage équitable. Vrai niveau gratuit, €269/mo annuel quand vous êtes prêt.