CWE-1275 Variant Incomplete Medium likelihood

Sensitive Cookie with Improper SameSite Attribute

This vulnerability occurs when a sensitive cookie does not have a secure SameSite attribute configured, leaving it exposed to cross-site request forgery (CSRF) attacks.

Definition

What is CWE-1275?

This vulnerability occurs when a sensitive cookie does not have a secure SameSite attribute configured, leaving it exposed to cross-site request forgery (CSRF) attacks.

The SameSite cookie attribute is a critical browser security feature that controls whether a cookie is sent with cross-site requests. It has three possible values: 'Strict' (most secure, never sent cross-site), 'Lax' (sent with safe top-level navigation like links), and 'None' (always sent, requiring the Secure flag). When this attribute is omitted or set insecurely for sensitive cookies—like session or authentication tokens—those credentials can be automatically included in malicious cross-site requests, bypassing the browser's default protections. This creates a direct path for CSRF attacks, where an attacker's site can trigger authenticated actions on the target site without the user's consent. While other defenses like anti-CSRF tokens are important, properly configuring SameSite provides a fundamental, browser-enforced layer of security. For maximum protection, set sensitive cookies to 'Strict' or 'Lax' unless a specific cross-site functionality requires 'None', in which case the Secure flag is mandatory.

Real-world impact

Real-world CVEs caused by CWE-1275

CVE-2022-24045

Web application for a room automation system has client-side JavaScript that sets a sensitive cookie without the SameSite security attribute, allowing the cookie to be sniffed

How attackers exploit it

Step-by-step attacker path

1
In this example, a cookie is used to store a session ID for a client's interaction with a website. The snippet of code below establishes a new cookie to hold the sessionID.
2
Since the sameSite attribute is not specified, the cookie will be sent to the website with each request made by the client. An attacker can potentially perform a CSRF attack by using the following malicious page:
3
When the client visits this malicious web page, it submits a '/setEmail' POST HTTP request to the vulnerable website. Since the browser automatically appends the 'sessionid' cookie to the request, the website automatically performs a 'setEmail' action on behalf of the client.
4
To mitigate the risk, use the sameSite attribute of the 'sessionid' cookie set to 'Strict'.

Vulnerable code example

Vulnerable JavaScript

In this example, a cookie is used to store a session ID for a client's interaction with a website. The snippet of code below establishes a new cookie to hold the sessionID.

Vulnerable JavaScript

let sessionId = generateSessionId()
 let cookieOptions = { domain: 'example.com' }
 response.cookie('sessionid', sessionId, cookieOptions)

Attacker payload

Since the sameSite attribute is not specified, the cookie will be sent to the website with each request made by the client. An attacker can potentially perform a CSRF attack by using the following malicious page:

Attacker payload HTML

<html>

```
   <form id=evil action="http://local:3002/setEmail" method="POST">
  	 <input type="hidden" name="newEmail" value="abc@example.com" />
   </form>
 <script>evil.submit()</script>
 </html>

Secure code example

Secure JavaScript

To mitigate the risk, use the sameSite attribute of the 'sessionid' cookie set to 'Strict'.

Secure JavaScript

let sessionId = generateSessionId()
 let cookieOptions = { domain: 'example.com', sameSite: 'Strict' }
 response.cookie('sessionid', sessionId, cookieOptions)

What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.

Prevention checklist

How to prevent CWE-1275

Implementation Set the SameSite attribute of a sensitive cookie to 'Lax' or 'Strict'. This instructs the browser to apply this cookie only to same-domain requests, which provides a good Defense in Depth against CSRF attacks. When the 'Lax' value is in use, cookies are also sent for top-level cross-domain navigation via HTTP GET, HEAD, OPTIONS, and TRACE methods, but not for other HTTP methods that are more like to cause side-effects of state mutation.

Detection signals

How to detect CWE-1275

Automated Static Analysis High

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Plexicus auto-fix

Plexicus auto-detects CWE-1275 and opens a fix PR in under 60 seconds.

Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.

Get a demo Try Plexicus free

Frequently asked questions

What is CWE-1275?

This vulnerability occurs when a sensitive cookie does not have a secure SameSite attribute configured, leaving it exposed to cross-site request forgery (CSRF) attacks.

How serious is CWE-1275?

MITRE rates the likelihood of exploit as Medium — exploitation is realistic but typically requires specific conditions.

What languages or platforms are affected by CWE-1275?

MITRE lists the following affected platforms: Not OS-Specific, Not Architecture-Specific, Web Based.

How can I prevent CWE-1275?

Set the SameSite attribute of a sensitive cookie to 'Lax' or 'Strict'. This instructs the browser to apply this cookie only to same-domain requests, which provides a good Defense in Depth against CSRF attacks. When the 'Lax' value is in use, cookies are also sent for top-level cross-domain navigation via HTTP GET, HEAD, OPTIONS, and TRACE methods, but not for other HTTP methods that are more like to cause side-effects of state mutation.

How does Plexicus detect and fix CWE-1275?

Plexicus's SAST engine matches the data-flow signature for CWE-1275 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.

Where can I learn more about CWE-1275?

MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/1275.html. You can also reference OWASP and NIST documentation for adjacent guidance.

Related weaknesses

Weaknesses related to CWE-1275

CWE-923 Parent

Don't Let Security
Weigh You Down.

Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.

Get started free Book a demo

Sensitive Cookie with Improper SameSite Attribute

What is CWE-1275?

Real-world CVEs caused by CWE-1275

Step-by-step attacker path

Vulnerable JavaScript

Secure JavaScript

How to prevent CWE-1275

How to detect CWE-1275

Plexicus auto-detects CWE-1275 and opens a fix PR in under 60 seconds.

Frequently asked questions

Weaknesses related to CWE-1275

Improper Restriction of Communication Channel to Intended Endpoints

Reliance on IP Address for Authentication

Improper Validation of Certificate with Host Mismatch

Channel Accessible by Non-Endpoint

Unprotected Primary Channel

Unprotected Alternate Channel

Improper Verification of Source of a Communication Channel

Incorrectly Specified Destination in a Communication Channel

Permissive Cross-domain Security Policy with Untrusted Domains

Further reading

Don't Let Security
Weigh You Down.

Sensitive Cookie with Improper SameSite Attribute

What is CWE-1275?

Real-world CVEs caused by CWE-1275

Step-by-step attacker path

Vulnerable JavaScript

Secure JavaScript

How to prevent CWE-1275

How to detect CWE-1275

Plexicus auto-detects CWE-1275 and opens a fix PR in under 60 seconds.

Frequently asked questions

Weaknesses related to CWE-1275

Improper Restriction of Communication Channel to Intended Endpoints

Reliance on IP Address for Authentication

Improper Validation of Certificate with Host Mismatch

Channel Accessible by Non-Endpoint

Unprotected Primary Channel

Unprotected Alternate Channel

Improper Verification of Source of a Communication Channel

Incorrectly Specified Destination in a Communication Channel

Permissive Cross-domain Security Policy with Untrusted Domains

Further reading

Don't Let SecurityWeigh You Down.

Don't Let Security
Weigh You Down.