1. Home
  2. CWE Database
  3. CWE-489
Base · Medium

CWE-489: Active Debug Code

The product is released with debugging code still enabled or active.

CWE-489 · Base Level ·3 CVEs ·1 Mitigations

Description

The product is released with debugging code still enabled or active.

Potential Impact

Confidentiality, Integrity, Availability, Access Control, Other

Bypass Protection Mechanism, Read Application Data, Gain Privileges or Assume Identity, Varies by Context

Demonstrative Examples

Debug code can be used to bypass authentication. For example, suppose an application has a login script that receives a username and a password. Assume also that a third, optional, parameter, called "debug", is interpreted by the script as requesting a switch to debug mode, and that when this parameter is given the username and password are not checked. In such a case, it is very simple to bypass the authentication process if the special behavior of the application regarding the debug parameter is known. In a case where the form is:
Bad
<FORM ACTION="/authenticate_login.cgi"><INPUT TYPE=TEXT name=username><INPUT TYPE=PASSWORD name=password><INPUT TYPE=SUBMIT></FORM>
Then a conforming link will look like:
Informative
http://TARGET/authenticate_login.cgi?username=...&password=...
An attacker can change this to:
Attack
http://TARGET/authenticate_login.cgi?username=&password=&debug=1
Which will grant the attacker access to the site, bypassing the authentication process.

Mitigations & Prevention

Build and CompilationDistribution

Remove debug code before deploying the application.

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2024-44092smartphone is built for production with debugging code present, allowing local privilege escalation
CVE-2024-36475network hub contains active debug code, which allows users to execute arbitrary OS commands using a debug function
CVE-2024-29075Mesh Wi-Fi router has active debug code, allowing attackers to modify device settings

CWE-710: Improper Adherence to Coding Standards

The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the...

CWE-215: Insertion of Sensitive Information Into Debugging Code

The product inserts sensitive information into debugging code, which could expose this information if the debugging code...

Taxonomy Mappings

  • 7 Pernicious Kingdoms: — Leftover Debug Code
  • OWASP Top Ten 2004: A10 — Insecure Configuration Management
  • Software Fault Patterns: SFP28 — Unexpected access points

Frequently Asked Questions

What is CWE-489?

CWE-489 (Active Debug Code) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product is released with debugging code still enabled or active.

How can CWE-489 be exploited?

Attackers can exploit CWE-489 (Active Debug Code) to bypass protection mechanism, read application data, gain privileges or assume identity, varies by context. This weakness is typically introduced during the Implementation, Implementation, Build and Compilation, Operation phase of software development.

How do I prevent CWE-489?

Key mitigations include: Remove debug code before deploying the application.

What is the severity of CWE-489?

CWE-489 is classified as a Base-level weakness (Medium abstraction). It has been observed in 3 real-world CVEs.