CWE-300 Class Draft

Channel Accessible by Non-Endpoint

This vulnerability occurs when a system fails to properly verify who is on the other end of a communication link or to secure the channel itself. This allows an unauthorized third party to access or…

Definition

What is CWE-300?

Secure communication requires confidently knowing who you're talking to at both ends of the connection. If a system performs weak, inconsistent, or missing identity checks, it can't be sure if the other party is genuine. Attackers exploit this gap by inserting themselves into the channel, impersonating a trusted endpoint. Once in the middle, they can silently eavesdrop on or alter the data flowing between the two original, unsuspecting parties. For developers, the core issue is misplaced trust. Without robust endpoint verification—like mutual authentication—your application might share sensitive data with an impostor. To prevent this, ensure your implementation validates identities at both ends using strong, cryptographic methods and maintains the channel's integrity to block unauthorized access or tampering.

Real-world impact

Real-world CVEs caused by CWE-300

CVE-2014-1266

chain: incorrect "goto" in Apple SSL product bypasses certificate validation, allowing Adversry-in-the-Middle (AITM) attack (Apple "goto fail" bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-561 (Dead Code) -> CWE-295 (Improper Certificate Validation) -> CWE-393 (Return of Wrong Status Code) -> CWE-300 (Channel Accessible by Non-Endpoint).

How attackers exploit it

Step-by-step attacker path

1
Identify a code path that handles untrusted input without validation.
2
Craft a payload that exercises the unsafe behavior — injection, traversal, overflow, or logic abuse.
3
Deliver the payload through a normal request and observe the application's reaction.
4
Iterate until the response leaks data, executes attacker code, or escalates privileges.

Vulnerable code example

Vulnerable Java

In the Java snippet below, data is sent over an unencrypted channel to a remote server.

Vulnerable Java

Socket sock;
  PrintWriter out;
  try {
  		sock = new Socket(REMOTE_HOST, REMOTE_PORT);
  		out = new PrintWriter(echoSocket.getOutputStream(), true);
```
// Write data to remote host via socket output stream.* 
  		...}

Secure code example

Secure pseudo

// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}

What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.

Prevention checklist

How to prevent CWE-300

Implementation Always fully authenticate both ends of any communications channel.
Architecture and Design Adhere to the principle of complete mediation.
Implementation A certificate binds an identity to a cryptographic key to authenticate a communicating party. Often, the certificate takes the encrypted form of the hash of the identity of the subject, the public key, and information such as time of issue or expiration using the issuer's private key. The certificate can be validated by deciphering the certificate with the issuer's public key. See also X.509 certificate signature chains and the PGP certification structure.

Detection signals

How to detect CWE-300

Automated Dynamic Analysis

Some tools can act as proxy servers that allow the tester to intercept packets or messages, inspect them, and modify them before sending them to the destination in order to see if the modified packets are still accepted by the receiving component.

Automated Dynamic Analysis

Dynamic Application Security Testing (DAST) tools can be used to detect network traffic without encryption and/or verification. The affected protocol may be subject to Adversary-in-the-Middle attacks. Some tools act as proxy servers that allow the tester to inspect and modify packets/messages to see if they are still accepted by the receiving component.

Automated Static Analysis Moderate

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) The analysis could identify use of protocols that are subject to Adversary-in-the-Middle attacks.

Plexicus auto-fix

Plexicus auto-detects CWE-300 and opens a fix PR in under 60 seconds.

Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.

Get a demo Try Plexicus free

Frequently asked questions

What is CWE-300?

How serious is CWE-300?

MITRE has not published a likelihood-of-exploit rating for this weakness. Treat it as medium-impact until your threat model proves otherwise.

What languages or platforms are affected by CWE-300?

MITRE has not specified affected platforms for this CWE — it can apply across most application stacks.

How can I prevent CWE-300?

Always fully authenticate both ends of any communications channel. Adhere to the principle of complete mediation.

How does Plexicus detect and fix CWE-300?

Plexicus's SAST engine matches the data-flow signature for CWE-300 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.

Where can I learn more about CWE-300?

MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/300.html. You can also reference OWASP and NIST documentation for adjacent guidance.

Related weaknesses

Weaknesses related to CWE-300

CWE-923 Parent

Don't Let Security
Weigh You Down.

Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.

Get started free Book a demo

Channel Accessible by Non-Endpoint

What is CWE-300?

Real-world CVEs caused by CWE-300

Step-by-step attacker path

Vulnerable Java

Secure pseudo

How to prevent CWE-300

How to detect CWE-300

Plexicus auto-detects CWE-300 and opens a fix PR in under 60 seconds.

Frequently asked questions

Weaknesses related to CWE-300

Improper Restriction of Communication Channel to Intended Endpoints

Sensitive Cookie with Improper SameSite Attribute

Reliance on IP Address for Authentication

Improper Validation of Certificate with Host Mismatch

Unprotected Primary Channel

Unprotected Alternate Channel

Improper Verification of Source of a Communication Channel

Incorrectly Specified Destination in a Communication Channel

Permissive Cross-domain Security Policy with Untrusted Domains

Further reading

Don't Let Security
Weigh You Down.

Channel Accessible by Non-Endpoint

What is CWE-300?

Real-world CVEs caused by CWE-300

Step-by-step attacker path

Vulnerable Java

Secure pseudo

How to prevent CWE-300

How to detect CWE-300

Plexicus auto-detects CWE-300 and opens a fix PR in under 60 seconds.

Frequently asked questions

Weaknesses related to CWE-300

Improper Restriction of Communication Channel to Intended Endpoints

Sensitive Cookie with Improper SameSite Attribute

Reliance on IP Address for Authentication

Improper Validation of Certificate with Host Mismatch

Unprotected Primary Channel

Unprotected Alternate Channel

Improper Verification of Source of a Communication Channel

Incorrectly Specified Destination in a Communication Channel

Permissive Cross-domain Security Policy with Untrusted Domains

Further reading

Don't Let SecurityWeigh You Down.

Don't Let Security
Weigh You Down.