Common Weakness Enumeration

2024 CWE Top 25 Key Insights

There are several notable shifts in ranked positions of weakness types from last year’s list, including weaknesses dropping away or making their first appearance in a Top 25.

Analysis

The introduction of a new methodology for the 2024 CWE Top 25 resulted in many rankings changes from last year’s list. In fact, only three weaknesses retained the same ranking as last year:

• CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') at #3
• CWE-434: Unrestricted Upload of File with Dangerous Type at #10
• CWE-918: Server-Side Request Forgery (SSRF) at #19

The biggest movers up the list are:

• CWE-352: Cross-Site Request Forgery (CSRF), up 5 from #9 to #4
• CWE-94: Improper Control of Generation of Code ('Code Injection'), up 12 from #23 to #11
• CWE-269: Improper Privilege Management, up 7 from #22 to #15
• CWE-863: Incorrect Authorization, up 6 from #24 to #18

The biggest downward movers are:

• CWE-20: Improper Input Validation, down 6 from #6 to #12
• CWE-476: NULL Pointer Dereference, down 9 from #12 to #21
• CWE-190: Integer Overflow or Wraparound, down 9 from #14 to #23
• CWE-306: Missing Authentication for Critical Function, down 5 from #20 to #25

New entries in the Top 25 are:

• CWE-400: Uncontrolled Resource Consumption, up 13 from #37 to #24
• CWE-200: Exposure of Sensitive Information to an Unauthorized Actor, up 13 from #30 to #17

Entries that fell off the Top 25 are:

• CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition'), down 13 from #21 to #34
• CWE-276: Incorrect Default Permissions, down 11 from #25 to #36

Mapping Usage

There were 19,797 individual mappings to the Top 25 CWEs in this year’s list.

Every CWE is annotated with a “mapping usage recommendation” that suggests whether the CWE should be used for vulnerability root cause mapping given its level of abstraction and actionability.

The CWEs in the 2024 Top 25 had the following mapping usage recommendations:

• 15 Allowed – 16,298 maps (82.33% of all Top 25 mappings)
• 4 Allowed-with-Review – 1,481 maps (7.48%)
• 6 Discouraged– 2,017 maps (10.19%)

In contrast, last year’s 2023 Top 25 had the following mapping usage recommendations:

• 16 Allowed – 23,049 maps (84.28% of all 2023 Top 25 mappings)
• 5 Allowed-with-Review – 1,757 maps (6.42%)
• 4 Discouraged – 2,541 maps (9.29%)

It should be noted that 6 of the 2024 Top 25 CWEs were Discouraged for mapping, while only 4 CWEs in the 2023 Top 25 were Discouraged. Ideally, the CWE Team hopes that mappings to Discouraged CWEs would decline each year, as CNAs use more precise and actionable alternative mappings.

Abstraction

CWE contains over 900 weaknesses that range from abstract and conceptual to precise and technology- or language-specific. A precise weakness will have a “parent” weakness that is more abstract, which may also have “parent” weaknesses, and so on. There are four types of weakness abstractions, from most abstract to most specific: Pillar, Class, Base, and Variant.

For root cause mapping, CWE’s root cause mapping guidance recommends that Base and Variant level CWEs should be used whenever possible to ensure providing adequate specificity, actionability, and root cause information for a vulnerability. Class level CWEs may be used for root cause mapping if there is no accurate Base or Variant level CWE.

In the 2024 Top 25, the number of maps based on CWE abstraction were:

• Base: 14,342 maps (72.45%) for 14 unique CWEs
• Class: 3,498 maps (17.67%) for 9 unique CWEs
• Compound: 1,301 maps (6.57%) for 1 unique CWEs
• Variant: 655 maps (3.31%) for 1 unique CWEs

This year’s list contains 9 classes, which is an increase over last year’s list at 8 classes.

For 2023, the abstraction counts were:

• Base: 20,618 maps (75.39%) for 15 unique CWEs
• Class: 4,298 maps (15.72%) for 8 unique CWEs
• Compound: 1,094 maps (4.00%) for 1 unique CWEs
• Variant: 1,337 maps (4.89%) for 1 unique CWEs

It should be noted that the “Compound” CWE is for Cross-Site Request Forgery (CSRF) (i.e., CWE-352), which is a composite of multiple weaknesses; CWE-352’s abstraction aligns with that of a Base.

Possible Causes of Rank Shifts

There were significantly lower CVE counts for most CWEs in this year’s analysis, possibly because of many CVE Records in the first half of 2024 not receiving CWE mappings from U.S. National Vulnerability Database (NVD) analysts. The issue remained in the final data pull on November 4, 2024, across all available mapping information in the CVE List and the NVD. For example, the number of CVE Records that were mapped to CWE-787: Out-of-bounds Write declined by over 2,000 this year. It is not clear whether these gaps affect the relative rankings, since the distribution of unmapped CVEs seems likely to align roughly with the CWE distribution of the entire data set.

The Top 25 team is excited to see more and more CNAs routinely providing CWE mappings at the time of disclosure. The CVE Program’s CVE Numbering Authority (CNA) Enrichment Recognition List lists these CNAs regularly in their metrics.

Less Complete Mapping Analysis of “Frequently Misused” CWEs

In previous years, the CWE Team would focus much of its mapping analysis on CVE Records that mapped to CWEs that are frequently misused (i.e., known or suspected to be susceptible to erroneous mappings when better choices are available). These were often remapped to lower-level CWEs by the CWE Team. As this year’s methodology emphasized CNA mapping review and only 27% of the dataset ended up being re-analyzed by CNAs, many CVE Records with potentially suboptimal mappings were not remapped.

For example, the following CWEs increased in ranks this year, although they would have been a focus of analysis by the CWE Team, and their position on the list would have likely been lower — possibly outside of the Top 25.

• CWE-94: Improper Control of Generation of Code ('Code Injection') and CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') are frequently misused. CWE-94 can be misused when any kind of “code execution” occurs independent of the root cause. CWE-77 is often misused in cases of OS command injection, where CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') is more appropriate
• CWE-400: Uncontrolled Resource Consumption, also frequently misused, is in the Top 25 this year, while CWE-770: Allocation of Resources Without Limits or Throttling — its most popular child — has dropped. In previous years, the CWE Team would often remap CWE-400 to CWE-770
• CWE-200: Exposure of Sensitive Information to an Unauthorized Actor is often misused — so often that mapping to it is Discouraged — because “disclosure of sensitive information” is such a common consequence to many vulnerabilities

Omission of Chain Analysis

In 2022 and 2023, the CWE Team analysis would include chains, such as:

• CWE-20: Improper Input Validation to CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
• CWE-190: Integer Overflow or Wraparound to CWE-787: Out-of-bounds Write
• CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') to CWE-416: Use After Free

The Top 25 calculation algorithm accounts for all CWEs in the chain. Since few CNAs perform chain analysis, and it is unclear how many even listed all chain elements in their responses, it is highly likely that there were fewer chains for this year’s Top 25 analysis. This might be a major factor in CWE-20: Improper Input Validation, CWE-190: Integer Overflow or Wraparound, and CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') moving down the list.