Input Validation Vulnerabilities Dominate MITRE's 2024 CWE Top 25 List

MITRE has published its annual 2024 CWE Top 25 Most Dangerous Software Weaknesses list, which highlights the most critical and prevalent software vulnerabilities. CWE (Common Weakness Enumeration) is a community-developed list of common weaknesses in software and hardware that can introduce vulnerabilities.

This year’s report is based on a new methodology with a scoring approach that results in the following:

• Weaknesses that were rarely discovered will not receive a high Frequency score, regardless of the typical consequence associated with any exploitation. If developers are not making a particular mistake, then the weakness should not be highlighted in the CWE Top 25.
• Weaknesses whose exploitation was of low impact will not receive a high Severity score, regardless of how common it was in the dataset. If the weakness typically results in low-impact exploited vulnerabilities, then the weakness should not be highlighted in the CWE Top 25.
• Weaknesses that are both common and caused significant harm will receive the highest scores.

MITRE reported that the updated methodology resulted in many ranking changes from last year, with only three weaknesses retaining the same ranking. Essentially, this ranking is better able to deliver both the nastiest and most common vulnerabilities in software today.

These are the flaws that pose the greatest risk due to their prevalence, potential for exploitation, and severity of impact when exploited. The updated methodology focuses on highlighting weaknesses that are both common and capable of causing significant harm, ensuring the list reflects real-world threats developers and organizations need to address most urgently.

Top 3 Rankings: Input Validation Issues#

The top three weaknesses are dominated by input validation issues. These include Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79), Out-of-bounds Write (CWE-787), and Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89).

XSS remains a pervasive issue because of its prevalence in web applications and the wide range of potential impacts. Out-of-bounds write weaknesses are a major contributor to severe vulnerabilities like buffer overflows, which have been exploited in both modern and legacy systems. SQL injection remains a top vulnerability year after year due to the ease with which it can be exploited.

A few other highlights and changes from the previous year include several weaknesses that have jumped in rankings. A handful have fallen to lower positions in the rankings, potentially due to improvements in the adoption of memory-safe programming languages like Rust:

• Emergence of Cross-Site Request Forgery (CSRF): CSRF (CWE-352) has risen to the 4th position, up from 9th in 2023, indicating an increased focus on this attack vector.
• Notable Increase in Code Injection Concerns: Improper Control of Generation of Code ('Code Injection') (CWE-94) has climbed to 11th place from 23rd in the previous year, reflecting growing awareness and incidents related to code injection vulnerabilities.
• Shift in Authorization Weaknesses: Missing Authorization (CWE-862) has moved up to 9th place from 11th, while Incorrect Authorization (CWE-863) has advanced to 18th from 24th, highlighting the critical need for robust authorization mechanisms.
• Fluctuations in Memory Management Issues: Use After Free (CWE-416) has dropped to 8th place from 4th, and NULL Pointer Dereference (CWE-476) has fallen to 21st from 12th, suggesting a potential improvement in addressing these vulnerabilities or a shift in focus to other areas.

MITRE attributes some of the shifts in rankings to incomplete mapping from the NVD. Many CVE Records for 2024 did not receive CWE mappings from National Vulnerability Database (NVD) analysts. This reduced dataset may have influenced rankings, as fewer CVE Records were considered for certain CWEs:

For example, the number of CVE Records that were mapped to CWE-787: Out-of-bounds Write declined by over 2,000 this year. It is not clear whether these gaps affect the relative rankings, since the distribution of unmapped CVEs seems likely to align roughly with the CWE distribution of the entire data set.

MITRE also cites the introduction of the new methodology contributing to changes in the top 25 of the 900 weaknesses in the CWE. The updated methodology emphasizes the frequency and severity of vulnerabilities, leading to shifts in rankings. This change ensures that the list reflects the most impactful and prevalent weaknesses rather than theoretical or less critical ones.

The 2024 CWE Top 25 list highlights the enduring challenges of input validation, where application-layer weaknesses like XSS and SQL Injection are still far from becoming a thing of the past. The list serves as a resource for understanding the most pressing security vulnerabilities and prioritizing mitigation based on the impact of exploitation.