Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CWE-471 (对假设不可变数据的修改(MAID)) — Vulnerability Class 31

31 vulnerabilities classified as CWE-471 (对假设不可变数据的修改(MAID)). AI Chinese analysis included.

CWE-471 represents a critical integrity weakness where an application fails to protect data elements it incorrectly assumes are immutable. This vulnerability typically arises when developers treat sensitive inputs, such as hidden form fields, cookies, or reverse DNS lookups, as read-only configuration values rather than untrusted user data. Attackers exploit this flaw by manipulating these assumed-fixed values to bypass security controls, escalate privileges, or alter application logic. For instance, modifying a hidden field to change a user’s role can grant unauthorized access. To mitigate this risk, developers must strictly validate and sanitize all user-supplied inputs, regardless of their source or apparent immutability. Implementing server-side integrity checks and avoiding reliance on client-side constraints ensures that critical data remains protected from unauthorized modification, thereby maintaining the application’s security posture.

MITRE CWE Description
The product does not properly protect an assumed-immutable element from being modified by an attacker. This occurs when a particular input is critical enough to the functioning of the application that it should not be modifiable at all, but it is. Certain resources are often assumed to be immutable when they are not, such as hidden form fields in web applications, cookies, and reverse DNS lookups.
Common Consequences (2)
IntegrityModify Application Data
Common data types that are attacked are environment variables, web application parameters, and HTTP headers.
IntegrityUnexpected State
Mitigations (1)
Architecture and Design, Operation, ImplementationWhen the data is stored or transmitted through untrusted sources that could modify the data, implement integrity checks to detect unauthorized modification, or store/transmit the data in a trusted location that is free from external influence.
Examples (1)
In the code excerpt below, an array returned by a Java method is modified despite the fact that arrays are mutable.
String[] colors = car.getAllPossibleColors(); colors[0] = "Red";
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2018-3728 Hoek 访问控制错误漏洞 — hoek node module 8.8 -2018-03-30

Vulnerabilities classified as CWE-471 (对假设不可变数据的修改(MAID)) represent 31 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.