VariantDraft

CWE-491Public cloneable() Method Without Final ('Object Hijack')

Category: other

Description

A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in an unexpected state.

Common consequences· 1

  • Integrity / Other — Unexpected State, Varies by Context

Potential mitigations· 1

  • [Implementation]Make the cloneable() method final.

References

  1. https://cwe.mitre.org/data/definitions/491.html

(incoming)2

TypeTargetConfidenceTier
VulnerabilityCVE-2025-60425cve-2025-604250%live
VulnerabilityCVE-2025-63685cve-2025-636850%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Cloneable Class Containing Sensitive Information
CWE
clone() Method Without super.clone()
CWE
Public Static Final Field References Mutable Object
CWE
Public Static Field Not Marked Final
CWE
Critical Public Variable Without Final Modifier
CWE
Returning a Mutable Object to an Untrusted Caller
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.