1. Home
  2. CWE Database
  3. CWE-375
Base · Medium

CWE-375: Returning a Mutable Object to an Untrusted Caller

Sending non-cloned mutable data as a return value may result in that data being altered or deleted by the calling function.

CWE-375 · Base Level ·2 Mitigations

Description

Sending non-cloned mutable data as a return value may result in that data being altered or deleted by the calling function.

In situations where functions return references to mutable data, it is possible that the external code which called the function may make changes to the data sent. If this data was not previously cloned, the class will then be using modified data which may violate assumptions about its internal state.

Potential Impact

Access Control, Integrity

Modify Memory

Demonstrative Examples

This class has a private list of patients, but provides a way to see the list :
Bad
public class ClinicalTrial {private PatientClass[] patientList = new PatientClass[50];public getPatients(...){return patientList;}}
While this code only means to allow reading of the patient list, the getPatients() method returns a reference to the class's original patient list instead of a reference to a copy of the list. Any caller of this method can arbitrarily modify the contents of the patient list even though it is a private member of the class.

Mitigations & Prevention

Implementation

Declare returned data which should not be altered as constant or immutable.

Implementation

Clone all mutable data before returning references to it. This is the preferred mitigation. This way, regardless of what changes are made to the data, a valid copy is retained for use by the class.

CWE-668: Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the...

Taxonomy Mappings

  • CLASP: — Mutable object returned
  • The CERT Oracle Secure Coding Standard for Java (2011): OBJ04-J — Provide mutable classes with copy functionality to safely allow passing instances to untrusted code
  • The CERT Oracle Secure Coding Standard for Java (2011): OBJ05-J — Defensively copy private mutable class members before returning their references
  • SEI CERT Perl Coding Standard: EXP34-PL — Do not modify $_ in list or sorting functions
  • Software Fault Patterns: SFP23 — Exposed Data

Frequently Asked Questions

What is CWE-375?

CWE-375 (Returning a Mutable Object to an Untrusted Caller) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. Sending non-cloned mutable data as a return value may result in that data being altered or deleted by the calling function.

How can CWE-375 be exploited?

Attackers can exploit CWE-375 (Returning a Mutable Object to an Untrusted Caller) to modify memory. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-375?

Key mitigations include: Declare returned data which should not be altered as constant or immutable.

What is the severity of CWE-375?

CWE-375 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.