SiteShadow
Back to vulnerability library
Detected byCWE-aware static analysisPro

CWE-316 Cleartext Storage in Memory

Coverage: 6 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 6 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.

What this means

SiteShadow flagged sensitive values being held in memory in a way that may be exposed through crashes, heap dumps, debug tooling, or overly broad logging/telemetry.

Why it matters

Memory exposure can leak secrets via dumps or crashes.

Safer examples

1) Minimize lifetime of secrets in memory

Keep secrets in memory only as long as needed; avoid storing them in global variables.

2) Avoid logging objects that contain secrets

Redact before logging and be careful with "dump whole object" patterns (see CWE-532 / L01).

3) Use platform facilities where appropriate

In some stacks you can use OS keychains / secret stores rather than keeping secrets in-process.

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.