SiteShadow
Back to vulnerability library
Detected byCWE-aware static analysisPro

CWE-454 External Initialization of Trusted Variables or Data Stores

Coverage: 9 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 9 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.

What this means

SiteShadow flagged "trusted" values being initialized or populated from an untrusted source (client input, unsigned webhooks, headers, environment, files). This becomes dangerous when the value is later treated as authoritative (roles, prices, account IDs, feature flags, security settings).

Why it matters

Attackers can influence trusted values, leading to privilege escalation or logic bypass.

Safer examples

1) Make the server the source of truth

Load roles, plans, prices, and permissions from your database or trusted internal service, not from the request (see CWE-642 / B01).

2) Verify external inputs that must be trusted

For webhooks/config files, require signatures, enforce schemas, and restrict who can write them (see CWE-347 / A08).

3) Treat environment/config as privileged and validated

Use allowlists for env-driven options and avoid "insecure mode" toggles in production.

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.