Run static analysis (SAST) on the codebase looking for the unsafe pattern in the data flow.
CWE-107 Variant Draft
Struts: Unused Validation Form
This vulnerability occurs when a Struts application contains validation form definitions that are no longer linked to any active form or action, leaving outdated security rules in the codebase.
Definition
What is CWE-107?
This vulnerability occurs when a Struts application contains validation form definitions that are no longer linked to any active form or action, leaving outdated security rules in the codebase.
In Struts frameworks, validation logic is often tied to specific form or action mappings. When developers rename or remove these mappings during refactoring, they can easily overlook the corresponding validation forms. These orphaned validation rules remain in the configuration files, creating a false sense of security and cluttering the code with dead logic.
This situation is problematic because it indicates that the application's validation layer is not being properly maintained. Attackers may exploit the gap between the actual form processing and the intended validation rules, potentially bypassing client-side or server-side checks. Regularly auditing and removing unused validation forms is essential to keep security configurations accurate and effective.
Real-world impact
Real-world CVEs caused by CWE-107
No public CVE references are linked to this CWE in MITRE's catalog yet.
How attackers exploit it
Step-by-step attacker path
- 1
In the following example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for an online business site. The user will enter registration data and, through the Struts framework, the RegistrationForm bean will maintain the user data in the form fields using the private member variables. The RegistrationForm class uses the Struts validation capability by extending the ValidatorForm class and including the validation for the form fields within the validator XML file, validator.xml.
- 2
However, the validator XML file, validator.xml, for the RegistrationForm class includes the validation form for the user input form field "phone" that is no longer used by the input form and the RegistrationForm class. Any validation forms that are no longer required should be removed from the validator XML file, validator.xml.
- 3
The existence of unused forms may be an indication to attackers that this code is out of date or poorly maintained.
Vulnerable code example
Vulnerable Java
In the following example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for an online business site. The user will enter registration data and, through the Struts framework, the RegistrationForm bean will maintain the user data in the form fields using the private member variables. The RegistrationForm class uses the Struts validation capability by extending the ValidatorForm class and including the validation for the form fields within the validator XML file, validator.xml.
public class RegistrationForm extends org.apache.struts.validator.ValidatorForm {
```
// private variables for registration form*
private String name;
private String address;
private String city;
private String state;
private String zipcode;
*// no longer using the phone form field*
*// private String phone;*
private String email;
public RegistrationForm() {
```
super();
}
```
// getter and setter methods for private variables*
...} Secure code example
Secure pseudo
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
const safe = validateAndEscape(input);
return executeWithGuards(safe);
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Prevention checklist
How to prevent CWE-107
- Implementation Remove the unused Validation Form from the validation.xml file.
Detection signals
How to detect CWE-107
Run dynamic application security testing against the live endpoint.
Watch runtime logs for unusual exception traces, malformed input, or authorization bypass attempts.
Code review: flag any new code that handles input from this surface without using the validated framework helpers.
Plexicus auto-detects CWE-107 and opens a fix PR in under 60 seconds.
Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.
Frequently asked questions What is CWE-107?
How serious is CWE-107?
What languages or platforms are affected by CWE-107?
How can I prevent CWE-107?
How does Plexicus detect and fix CWE-107?
Where can I learn more about CWE-107?
Frequently asked questions
What is CWE-107?
This vulnerability occurs when a Struts application contains validation form definitions that are no longer linked to any active form or action, leaving outdated security rules in the codebase.
How serious is CWE-107?
MITRE has not published a likelihood-of-exploit rating for this weakness. Treat it as medium-impact until your threat model proves otherwise.
What languages or platforms are affected by CWE-107?
MITRE lists the following affected platforms: Java.
How can I prevent CWE-107?
Remove the unused Validation Form from the validation.xml file.
How does Plexicus detect and fix CWE-107?
Plexicus's SAST engine matches the data-flow signature for CWE-107 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.
Where can I learn more about CWE-107?
MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/107.html. You can also reference OWASP and NIST documentation for adjacent guidance.
Related weaknesses
Weaknesses related to CWE-107
CWE-1164 Parent
Irrelevant Code
Irrelevant code refers to sections of a program that have no impact on its execution, data, or logic. Removing this code would not change…
CWE-1071 Sibling
Empty Code Block
An empty code block occurs when a section of source code, such as a conditional statement or function body, contains no executable…
CWE-110 Sibling
Struts: Validator Without Form Field
This vulnerability occurs when a Struts application's validation configuration file references form fields that no longer exist in the…
CWE-561 Sibling
Dead Code
Dead code refers to sections of a program that can never run during normal execution, effectively making them inactive and unreachable.
CWE-563 Sibling
Assignment to Variable without Use
This vulnerability occurs when a value is stored in a variable, but that variable is never read or used in subsequent code, creating a…
Resources
Further reading
- MITRE — official CWE-107 https://cwe.mitre.org/data/definitions/107.html
- Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf
Ready when you are
Don't Let Security
Weigh You Down.
Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.