CWE-129 Improper Validation of Array Index
Coverage: 3 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 3 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.
What this means
SiteShadow flagged an array/list index derived from untrusted input being used without bounds checks. In safe languages this often "just" throws, but repeated crashes can become denial of service; in native contexts it can become memory corruption.
Why it matters
Invalid indices can cause crashes or data leakage.
- DoS via crashes: attackers send out-of-range indices to trigger exceptions repeatedly.
- Data exposure: the wrong index can access a record that shouldn't be reachable (logic bug / IDOR-like patterns).
- In lower-level contexts, out-of-bounds access can lead to memory safety issues.
Safer examples
1) Validate index ranges before access (Python)
idx = int(user_input)
if idx < 0 or idx >= len(items):
raise ValueError("Invalid index")
item = items[idx]
2) Prefer IDs over positional indices (recommended)
Accept an object ID and look it up with authorization, rather than letting users pick array positions (see CWE-286).
3) Fail closed and handle errors safely
Return 400 on invalid indexes; don't leak internal stack traces (see E01).
How SiteShadow detects it (high level)
- Detects array indexing where the index comes from request/user input.
- Flags missing bounds checks and cases where the index influences sensitive selections.
References
- CWE-129: https://cwe.mitre.org/data/definitions/129.html
---
← Back to Vulnerability Library
Catch this with SiteShadow Pro.
This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.