ClassDraft

CWE-99Improper Control of Resource Identifiers ('Resource Injection')

Category: injection

Description

The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.

Common consequences· 1

  • Confidentiality / Integrity — Read Application Data, Modify Application Data, Read Files or Directories, Modify Files or Directories
    An attacker could gain access to or modify sensitive data or system resources. This could allow access to protected files or directories including configuration files and files containing sensitive information.

Potential mitigations· 1

  • [Implementation]

Related CAPEC attack patterns· 3

CAPEC-10CAPEC-240CAPEC-75

References

  1. https://cwe.mitre.org/data/definitions/99.html

Exploits (incoming)3

TypeTargetConfidenceTier
AttackPatternManipulating Writeable Configuration Filescapec-75100%live
AttackPatternBuffer Overflow via Environment Variablescapec-10100%live
AttackPatternResource Injectioncapec-240100%live

(incoming)3

TypeTargetConfidenceTier
VulnerabilityCVE-2025-0756cve-2025-07560%live
VulnerabilityCVE-2025-2410cve-2025-24100%live
VulnerabilityCVE-2025-43491cve-2025-434910%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Use of Multiple Resources with Duplicate Identifier
CWE
Exposure of Resource to Wrong Sphere
CWE
Incorrect Ownership Assignment
CWE
Improper Validation of Unsafe Equivalence in Input
CWE
Improper Control of Generation of Code ('Code Injection')
CWE
Exposure of Sensitive Information to an Unauthorized Actor
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.