CWE-501 - Trust Boundary Violation
- Abstraction:Base
- Structure:Simple
- Status:Draft
- Release Date:2006-07-19
- Latest Modification Date:2023-06-29
Weakness Name
Trust Boundary Violation
Description
The product mixes trusted and untrusted data in the same data structure or structured message.
A trust boundary can be thought of as line drawn through a program. On one side of the line, data is untrusted. On the other side of the line, data is assumed to be trustworthy. The purpose of validation logic is to allow data to safely cross the trust boundary - to move from untrusted to trusted. A trust boundary violation occurs when a program blurs the line between what is trusted and what is untrusted. By combining trusted and untrusted data in the same data structure, it becomes easier for programmers to mistakenly trust unvalidated data.
Common Consequences
Scope: Access Control
Impact: Bypass Protection Mechanism
Related Weaknesses
CERT-UA Reports Cyberattacks Targeting Ukrainian State Systems with WRECKSTEEL Malware
Critical Flaw in Apache Parquet Allows Remote Attackers to Execute Arbitrary Code
Max severity RCE flaw discovered in widely used Apache Parquet
Hunters International shifts from ransomware to pure data extortion
CISA warns of Fast Flux DNS evasion used by cybercrime gangs
Ivanti VPN customers targeted via unrecognized RCE vulnerability (CVE-2025-22457)
Ivanti patches Connect Secure zero-day exploited since mid-March
Microsoft Warns of Tax-Themed Email Attacks Using PDFs and QR Codes to Deliver Malware
Texas State Bar warns of data breach after INC ransomware claims attack
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
InformationalObsolete Content Security Policy (CSP) Header Found
MediumCORS Misconfiguration
InformationalStorable and Cacheable Content
HighPath Traversal
CWE-943 Improper Neutralization of Special Elements in Data Query Logic
CWE-1191 On-Chip Debug and Test Interface With Improper Access Control
CWE-556 ASP.NET Misconfiguration: Use of Identity Impersonation
CWE-528 Exposure of Core Dump File to an Unauthorized Control Sphere
CWE-1260 Improper Handling of Overlap Between Protected Memory Ranges
MediumCWE-374 Passing Mutable Objects to an Untrusted Method