CWE-299 Base Draft Medium likelihood

Improper Check for Certificate Revocation

This vulnerability occurs when an application fails to properly verify whether a security certificate has been revoked, potentially allowing it to accept and use a compromised or untrustworthy…

Definition

What is CWE-299?

This vulnerability occurs when an application fails to properly verify whether a security certificate has been revoked, potentially allowing it to accept and use a compromised or untrustworthy certificate.
Failing to check certificate revocation is a critical security gap, more severe than other certificate errors. When a certificate is revoked, it's almost always because the associated private key has been exposed or the issuing authority no longer trusts it—meaning any system still using that certificate is likely compromised. Legitimate services should never operate with a revoked certificate unless they have a serious configuration or synchronization problem. For developers, this means your application could mistakenly trust a malicious actor impersonating a legitimate server. To prevent this, always implement and test proper revocation checking mechanisms like CRL (Certificate Revocation List) or OCSP (Online Certificate Status Protocol) in your TLS/SSL handshake logic, and ensure these checks cannot be bypassed by network errors or performance shortcuts.
Real-world impact

Real-world CVEs caused by CWE-299

  • CVE-2011-2014

    LDAP-over-SSL implementation does not check Certificate Revocation List (CRL), allowing spoofing using a revoked certificate.

  • CVE-2011-0199

    Operating system does not check Certificate Revocation List (CRL) in some cases, allowing spoofing using a revoked certificate.

  • CVE-2010-5185

    Antivirus product does not check whether certificates from signed executables have been revoked.

  • CVE-2009-3046

    Web browser does not check if any intermediate certificates are revoked.

  • CVE-2009-0161

    chain: Ruby module for OCSP misinterprets a response, preventing detection of a revoked certificate.

  • CVE-2011-2701

    chain: incorrect parsing of replies from OCSP responders allows bypass using a revoked certificate.

  • CVE-2011-0935

    Router can permanently cache certain public keys, which would allow bypass if the certificate is later revoked.

  • CVE-2009-1358

    chain: OS package manager does not properly check the return value, allowing bypass using a revoked certificate.

How attackers exploit it

Step-by-step attacker path

  1. 1

    Identify a code path that handles untrusted input without validation.

  2. 2

    Craft a payload that exercises the unsafe behavior — injection, traversal, overflow, or logic abuse.

  3. 3

    Deliver the payload through a normal request and observe the application's reaction.

  4. 4

    Iterate until the response leaks data, executes attacker code, or escalates privileges.

Vulnerable code example

Vulnerable C

The following OpenSSL code ensures that there is a certificate before continuing execution.

Vulnerable C 
if (cert = SSL_get_peer_certificate(ssl)) {
```
// got a certificate, do secret things*
Secure code example

Secure pseudo

Secure pseudo 
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Prevention checklist

How to prevent CWE-299

  • Architecture and Design Ensure that certificates are checked for revoked status.
  • Implementation If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the revoked status.
Detection signals

How to detect CWE-299

Automated Static Analysis High

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Plexicus auto-fix

Plexicus auto-detects CWE-299 and opens a fix PR in under 60 seconds.

Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.

Get a demo Try Plexicus free
Frequently asked questions

Frequently asked questions

What is CWE-299?

This vulnerability occurs when an application fails to properly verify whether a security certificate has been revoked, potentially allowing it to accept and use a compromised or untrustworthy certificate.

How serious is CWE-299?

MITRE rates the likelihood of exploit as Medium — exploitation is realistic but typically requires specific conditions.

What languages or platforms are affected by CWE-299?

MITRE has not specified affected platforms for this CWE — it can apply across most application stacks.

How can I prevent CWE-299?

Ensure that certificates are checked for revoked status. If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the revoked status.

How does Plexicus detect and fix CWE-299?

Plexicus's SAST engine matches the data-flow signature for CWE-299 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.

Where can I learn more about CWE-299?

MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/299.html. You can also reference OWASP and NIST documentation for adjacent guidance.

Related weaknesses

Weaknesses related to CWE-299

CWE-295 Parent

Improper Certificate Validation

This vulnerability occurs when an application fails to properly verify the authenticity of a digital certificate, or performs the…

CWE-296 Sibling

Improper Following of a Certificate's Chain of Trust

This vulnerability occurs when software fails to properly validate the entire certificate chain back to a trusted root authority. This…

CWE-297 Sibling

Improper Validation of Certificate with Host Mismatch

This vulnerability occurs when an application accepts a valid SSL/TLS certificate without properly verifying that it actually belongs to…

CWE-298 Sibling

Improper Validation of Certificate Expiration

This vulnerability occurs when an application fails to properly check if a digital certificate has expired, potentially trusting…

CWE-599 Sibling

Missing Validation of OpenSSL Certificate

This vulnerability occurs when an application uses OpenSSL but fails to properly verify server certificates by not calling…

CWE-370 Child

Missing Check for Certificate Revocation after Initial Check

This vulnerability occurs when software only verifies a certificate's revocation status once, then continues to trust it for subsequent…

Resources

Further reading

Ready when you are

Don't Let Security
Weigh You Down.

Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.