1. Home
  2. CWE Database
  3. CWE-627
Variant · Low-Medium

CWE-627: Dynamic Variable Evaluation

In a language where the user can influence the name of a variable at runtime, if the variable names are not controlled, an attacker can read or write to arbitrary variables, or access arbitrary functi...

CWE-627 · Variant Level ·4 CVEs ·3 Mitigations

Description

In a language where the user can influence the name of a variable at runtime, if the variable names are not controlled, an attacker can read or write to arbitrary variables, or access arbitrary functions.

The resultant vulnerabilities depend on the behavior of the application, both at the crossover point and in any control/data flow that is reachable by the related variables or functions.

Potential Impact

Confidentiality, Integrity, Availability

Modify Application Data, Execute Unauthorized Code or Commands

Mitigations & Prevention

Implementation

Refactor the code to avoid dynamic variable evaluation whenever possible.

Implementation

Use only allowlists of acceptable variable or function names.

Implementation

For function names, ensure that you are only calling functions that accept the proper number of arguments, to avoid unexpected null arguments.

Real-World CVE Examples

CVE IDDescription
CVE-2009-0422Chain: Dynamic variable evaluation allows resultant remote file inclusion and path traversal.
CVE-2007-2431Chain: dynamic variable evaluation in PHP program used to modify critical, unexpected $_SERVER variable for resultant XSS.
CVE-2006-4904Chain: dynamic variable evaluation in PHP program used to conduct remote file inclusion.
CVE-2006-4019Dynamic variable evaluation in mail program allows reading and modifying attachments and preferences of other users.

CWE-914: Improper Control of Dynamically-Identified Variables

The product does not properly restrict reading from or writing to dynamically-identified variables.

CWE-183: Permissive List of Allowed Inputs

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explici...

Frequently Asked Questions

What is CWE-627?

CWE-627 (Dynamic Variable Evaluation) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. In a language where the user can influence the name of a variable at runtime, if the variable names are not controlled, an attacker can read or write to arbitrary variables, or access arbitrary functi...

How can CWE-627 be exploited?

Attackers can exploit CWE-627 (Dynamic Variable Evaluation) to modify application data, execute unauthorized code or commands. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-627?

Key mitigations include: Refactor the code to avoid dynamic variable evaluation whenever possible.

What is the severity of CWE-627?

CWE-627 is classified as a Variant-level weakness (Low-Medium abstraction). It has been observed in 4 real-world CVEs.