BaseIncomplete

CWE-915Improperly Controlled Modification of Dynamically-Determined Object Attributes

Category: other

Description

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

Common consequences· 3

  • Integrity — Modify Application Data
    An attacker could modify sensitive data or program variables.
  • Integrity — Execute Unauthorized Code or Commands
  • Other / Integrity — Varies by Context, Alter Execution Logic

Potential mitigations· 4

  • [Implementation]
  • [Architecture and Design, Implementation]If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
  • [Implementation]For any externally-influenced input, check the input against an allowlist of internal object attributes or fields that are allowed to be modified.
  • [Implementation, Architecture and Design]Refactor the code so that object attributes or fields do not need to be dynamically identified, and only expose getter/setter functionality for the intended attributes.

References

  1. https://cwe.mitre.org/data/definitions/915.html

Compliance frameworks addressing this (incoming)2

TypeTargetConfidenceTier
ComplianceControlai_act-art9100%live
ComplianceControlowasp_api_top10-api03100%live

(incoming)27

TypeTargetConfidenceTier
VulnerabilityCVE-2025-14341cve-2025-143410%live
VulnerabilityCVE-2025-15602cve-2025-156020%live
VulnerabilityCVE-2025-30358cve-2025-303580%live
VulnerabilityCVE-2025-61781cve-2025-617810%live
VulnerabilityCVE-2025-69690cve-2025-696900%live
VulnerabilityCVE-2025-69691cve-2025-696910%live
VulnerabilityCVE-2026-21886cve-2026-218860%live
VulnerabilityCVE-2026-22783cve-2026-227830%live
VulnerabilityCVE-2026-27591cve-2026-275910%live
VulnerabilityCVE-2026-27953cve-2026-279530%live
VulnerabilityCVE-2026-29056cve-2026-290560%live
VulnerabilityCVE-2026-32640cve-2026-326400%live
VulnerabilityCVE-2026-33453cve-2026-334530%live
VulnerabilityCVE-2026-34179cve-2026-341790%live
VulnerabilityCVE-2026-34208cve-2026-342080%live
VulnerabilityCVE-2026-34406cve-2026-344060%live
VulnerabilityCVE-2026-34427cve-2026-344270%live
VulnerabilityCVE-2026-34445cve-2026-344450%live
VulnerabilityCVE-2026-40569cve-2026-405690%live
VulnerabilityCVE-2026-40897cve-2026-408970%live
VulnerabilityCVE-2026-41139cve-2026-411390%live
VulnerabilityCVE-2026-41267cve-2026-412670%live
VulnerabilityCVE-2026-41277cve-2026-412770%live
VulnerabilityCVE-2026-42044cve-2026-420440%live
VulnerabilityCVE-2026-45229cve-2026-452290%live
VulnerabilityCVE-2026-5708cve-2026-57080%live
VulnerabilityCVE-2026-6912cve-2026-69120%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CWE
Insufficient Encapsulation
CWE
Improper Control of Resource Identifiers ('Resource Injection')
CWE
Improper Control of Generation of Code ('Code Injection')
CWE
Data Access Operations Outside of Expected Data Manager Component
CWE
Improper Validation of Specified Type of Input
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.