Run static analysis (SAST) on the codebase looking for the unsafe pattern in the data flow.
CWE-105 Variant Draft
Struts: Form Field Without Validator
This vulnerability occurs when a Struts application form contains an input field that lacks a corresponding validator, leaving it open to unverified user input.
Definition
What is CWE-105?
This vulnerability occurs when a Struts application form contains an input field that lacks a corresponding validator, leaving it open to unverified user input.
Leaving even one form field without validation creates a direct opening for attackers. They can exploit this oversight to inject malicious data, bypass security checks, or manipulate application logic, potentially leading to data breaches, unauthorized access, or system compromise.
While Java applications themselves are often protected from low-level memory issues, the risk escalates if the application interacts with native code or external systems. An attacker could use this unvalidated input as an entry point to trigger buffer overflows or other critical vulnerabilities in those connected components, turning a simple input oversight into a severe chained attack.
Real-world impact
Real-world CVEs caused by CWE-105
No public CVE references are linked to this CWE in MITRE's catalog yet.
How attackers exploit it
Step-by-step attacker path
- 1
In the following example the Java class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for an online business site. The user will enter registration data and, through the Struts framework, the RegistrationForm bean will maintain the user data in the form fields using the private member variables. The RegistrationForm class uses the Struts validation capability by extending the ValidatorForm class and including the validation for the form fields within the validator XML file, validator.xml.
- 2
The validator XML file, validator.xml, provides the validation for the form fields of the RegistrationForm.
- 3
However, in the previous example the validator XML file, validator.xml, does not provide validators for all of the form fields in the RegistrationForm. Validator forms are only provided for the first five of the seven form fields. The validator XML file should contain validator forms for all of the form fields for a Struts ActionForm bean. The following validator.xml file for the RegistrationForm class contains validator forms for all of the form fields.
Vulnerable code example
Vulnerable XML
The validator XML file, validator.xml, provides the validation for the form fields of the RegistrationForm.
<form-validation>
<formset>
<form name="RegistrationForm">
<field property="name" depends="required">
<arg position="0" key="prompt.name"/>
</field>
<field property="address" depends="required">
<arg position="0" key="prompt.address"/>
</field>
<field property="city" depends="required">
<arg position="0" key="prompt.city"/>
</field>
<field property="state" depends="required,mask">
<arg position="0" key="prompt.state"/>
<var>
<var-name>mask</var-name>
<var-value>[a-zA-Z]{2}</var-value>
</var>
</field>
<field property="zipcode" depends="required,mask">
<arg position="0" key="prompt.zipcode"/>
<var>
<var-name>mask</var-name>
<var-value>\d{5}</var-value>
</var>
</field>
</form>
</formset>
</form-validation> Secure code example
Secure XML
However, in the previous example the validator XML file, validator.xml, does not provide validators for all of the form fields in the RegistrationForm. Validator forms are only provided for the first five of the seven form fields. The validator XML file should contain validator forms for all of the form fields for a Struts ActionForm bean. The following validator.xml file for the RegistrationForm class contains validator forms for all of the form fields.
<form-validation>
<formset>
<form name="RegistrationForm">
<field property="name" depends="required">
<arg position="0" key="prompt.name"/>
</field>
<field property="address" depends="required">
<arg position="0" key="prompt.address"/>
</field>
<field property="city" depends="required">
<arg position="0" key="prompt.city"/>
</field>
<field property="state" depends="required,mask">
<arg position="0" key="prompt.state"/>
<var>
<var-name>mask</var-name>
<var-value>[a-zA-Z]{2}</var-value>
</var>
</field>
<field property="zipcode" depends="required,mask">
<arg position="0" key="prompt.zipcode"/>
<var>
<var-name>mask</var-name>
<var-value>\d{5}</var-value>
</var>
</field>
<field property="phone" depends="required,mask">
<arg position="0" key="prompt.phone"/>
<var>
<var-name>mask</var-name>
<var-value>^([0-9]{3})(-)([0-9]{4}|[0-9]{4})$</var-value>
</var>
</field>
<field property="email" depends="required,email">
<arg position="0" key="prompt.email"/>
</field>
</form>
</formset>
</form-validation> What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Prevention checklist
How to prevent CWE-105
- Implementation Validate all form fields. If a field is unused, it is still important to constrain it so that it is empty or undefined.
Detection signals
How to detect CWE-105
Run dynamic application security testing against the live endpoint.
Watch runtime logs for unusual exception traces, malformed input, or authorization bypass attempts.
Code review: flag any new code that handles input from this surface without using the validated framework helpers.
Plexicus auto-detects CWE-105 and opens a fix PR in under 60 seconds.
Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.
Frequently asked questions What is CWE-105?
How serious is CWE-105?
What languages or platforms are affected by CWE-105?
How can I prevent CWE-105?
How does Plexicus detect and fix CWE-105?
Where can I learn more about CWE-105?
Frequently asked questions
What is CWE-105?
This vulnerability occurs when a Struts application form contains an input field that lacks a corresponding validator, leaving it open to unverified user input.
How serious is CWE-105?
MITRE has not published a likelihood-of-exploit rating for this weakness. Treat it as medium-impact until your threat model proves otherwise.
What languages or platforms are affected by CWE-105?
MITRE lists the following affected platforms: Java.
How can I prevent CWE-105?
Validate all form fields. If a field is unused, it is still important to constrain it so that it is empty or undefined.
How does Plexicus detect and fix CWE-105?
Plexicus's SAST engine matches the data-flow signature for CWE-105 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.
Where can I learn more about CWE-105?
MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/105.html. You can also reference OWASP and NIST documentation for adjacent guidance.
Related weaknesses
Weaknesses related to CWE-105
CWE-1173 Parent
Improper Use of Validation Framework
This vulnerability occurs when a software application either fails to use or incorrectly implements a built-in or library-provided input…
CWE-102 Sibling
Struts: Duplicate Validation Forms
This vulnerability occurs when an application defines multiple Struts validation forms with identical names. The framework then…
CWE-106 Sibling
Struts: Plug-in Framework not in Use
This weakness occurs when a Java application, particularly one using the Struts framework, does not implement a structured input…
CWE-108 Sibling
Struts: Unvalidated Action Form
In Apache Struts, every Action Form that processes user input must have a corresponding validation form configured. Missing this…
CWE-109 Sibling
Struts: Validator Turned Off
This vulnerability occurs when an application built with Apache Struts intentionally disables its built-in validation framework. By…
CWE-1174 Sibling
ASP.NET Misconfiguration: Improper Model Validation
This vulnerability occurs when an ASP.NET application either completely bypasses the built-in model validation system or implements it…
CWE-554 Sibling
ASP.NET Misconfiguration: Not Using Input Validation Framework
This vulnerability occurs when an ASP.NET application fails to implement a structured input validation framework, relying instead on…
Resources
Further reading
- MITRE — official CWE-105 https://cwe.mitre.org/data/definitions/105.html
- Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf
Ready when you are
Don't Let Security
Weigh You Down.
Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.