CWE-1125 Excessive Attack Surface
Coverage: 9 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 9 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.
What this means
SiteShadow flagged patterns that suggest your system exposes more entry points, capabilities, or privileges than necessary (extra endpoints, debug panels, broad permissions, unused features left enabled).
Why it matters
More exposed endpoints and permissions increase the likelihood of exploitable paths.
- More things to break: every endpoint, feature flag, and admin capability is another potential vulnerability.
- Forgotten features: old routes and debug tools are commonly unpatched and unmonitored.
- Broader compromise: over-privileged services turn small bugs into big incidents.
Safer examples
1) Disable or remove unused endpoints and features
Turn off debug routes, internal docs, admin consoles, and legacy APIs in production unless explicitly needed.
2) Put strong authz in front of privileged surfaces
Admin endpoints should be segregated, require step-up auth/MFA, and be network-restricted where possible.
3) Reduce privileges by default
Use least-privilege IAM/service accounts and narrow scopes; avoid "*" permissions (see CWE-276 / A01).
How SiteShadow detects it (high level)
- Detects exposed admin/debug surfaces, overly broad permissions, and "high-privilege by default" patterns.
- Flags endpoints and configs that expand reachable functionality without corresponding protections.
References
- CWE-1125: https://cwe.mitre.org/data/definitions/1125.html
---
← Back to Vulnerability Library
Catch this with SiteShadow Pro.
This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.