CWE-316 Cleartext Storage in Memory
Coverage: 6 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 6 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.
What this means
SiteShadow flagged sensitive values being held in memory in a way that may be exposed through crashes, heap dumps, debug tooling, or overly broad logging/telemetry.
Why it matters
Memory exposure can leak secrets via dumps or crashes.
- Crash dumps and diagnostics can capture plaintext secrets.
- Debugging/observability tooling can inadvertently record memory/state.
- In some environments, other processes/users may access memory snapshots.
Safer examples
1) Minimize lifetime of secrets in memory
Keep secrets in memory only as long as needed; avoid storing them in global variables.
2) Avoid logging objects that contain secrets
Redact before logging and be careful with "dump whole object" patterns (see CWE-532 / L01).
3) Use platform facilities where appropriate
In some stacks you can use OS keychains / secret stores rather than keeping secrets in-process.
How SiteShadow detects it (high level)
- Flags sensitive values flowing into long-lived objects (configs, caches) and debug/logging sinks.
- Uses heuristics around credential-like fields being retained and exposed.
References
- CWE-316: https://cwe.mitre.org/data/definitions/316.html
---
← Back to Vulnerability Library
Catch this with SiteShadow Pro.
This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.