CWE-829 Inclusion of Functionality from Untrusted Control Sphere
Coverage: 5 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Other-pattern 5 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.
What this means
SiteShadow flagged code or dependencies being pulled from an untrusted control sphere (untrusted registries, unchecked remote includes, dynamic plugin loading, downloading and executing code at runtime).
Why it matters
Untrusted sources can introduce malicious functionality.
- Supply-chain compromise: attackers swap or poison dependencies/plugins and run code inside your app.
- Persistent backdoors: malicious code ships to users/production and is hard to notice.
- Credential theft/data exfiltration: compromised dependencies often target tokens and secrets.
Safer examples
1) Pin and verify dependencies
Use lockfiles, checksums/signatures where supported, and controlled registries (see A08 / SBOM01).
2) Don't download-and-execute at runtime
Avoid "fetch plugin code from URL" patterns. If you need extensibility, ship vetted plugins or use server-side allowlisted modules.
3) Restrict plugin/module loading
Allowlist module names and load only from a trusted, read-only directory.
How SiteShadow detects it (high level)
- Detects dynamic code loading (remote includes, downloads, eval-like execution, plugin loading) and checks whether the source is untrusted.
- Flags missing integrity checks (pins, hashes, signatures) around dependency acquisition.
References
- CWE-829: https://cwe.mitre.org/data/definitions/829.html
---
← Back to Vulnerability Library
Catch this with SiteShadow Pro.
This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.