CWE-628 Function Call with Incorrectly Specified Arguments
Coverage: 4 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 4 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.
What this means
SiteShadow flagged a function call where arguments are likely incorrect, unsafe, or not validated (wrong ordering, wrong types, missing required flags). This is often how security controls get accidentally disabled (e.g., passing an "insecure" option, disabling verification, or turning on permissive parsing).
Why it matters
Incorrect arguments can cause unexpected behavior or vulnerabilities.
- Security feature disabled: e.g., turning off TLS verification, disabling auth checks, enabling "unsafe" modes.
- Injection/validation bypass when parsing/escaping functions are called incorrectly.
- Reliability issues that become DoS when attackers can trigger the bad call.
Safer examples
1) Prefer named/explicit options over positional arguments
Named options reduce "wrong parameter" mistakes.
2) Avoid insecure flags and "compatibility" switches
Don't pass flags like verify=False, "allowInsecure", "disableValidation", etc., especially based on environment variables.
3) Add tests for security-relevant behavior
For example, tests that ensure TLS verification is on, JWT verification is enforced, and auth middleware runs.
How SiteShadow detects it (high level)
- Detects known security-relevant APIs and highlights calls with risky arguments/options.
- Flags suspicious defaults and toggles that can disable protections.
References
- CWE-628: https://cwe.mitre.org/data/definitions/628.html
---
← Back to Vulnerability Library
Catch this with SiteShadow Pro.
This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.