CWE-829βInclusion of Functionality from Untrusted Control Sphere
PUBLISHEDweakness record
released 2010-12-13 Β· last modified 2026-01-21
Metadata
- CWE ID:
- CWE-829
- Abstraction:
- Base
- Structure:
- Simple
- Status:
- Incomplete
- Release Date:
- 2010-12-13
- Latest Modification Date:
- 2026-01-21
Weakness Name
Inclusion of Functionality from Untrusted Control Sphere
Description
The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
Common Consequences
- Scope:
- Confidentiality, Integrity, Availability
- Impact:
- Execute Unauthorized Code or Commands
- Notes:
- An attacker could insert malicious functionality into the program by causing the program to download code that the attacker has placed into the untrusted control sphere, such as a malicious web site. This could enable the injection of malware, information exposure by granting excessive privileges or permissions to the untrusted functionality, DOM-based XSS vulnerabilities, stealing user's cookies, open redirect to malware (CWE-601), etc.