CWE-374 Base Draft Medium likelihood

Passing Mutable Objects to an Untrusted Method

This vulnerability occurs when a function receives a direct reference to mutable data, such as an object or array, instead of a safe copy of that data.

Definition

What is CWE-374?

This vulnerability occurs when a function receives a direct reference to mutable data, such as an object or array, instead of a safe copy of that data.
When you pass a mutable object directly to a method—especially one from an external library or untrusted code—that method can alter or even delete the contents of your object. This breaks a fundamental assumption in your code: that the data you own remains under your control. The called function might change values, add unexpected elements, or clear the object entirely, leading to inconsistent states, crashes, or logic errors in your application. To prevent this, you should create and pass a defensive copy (a clone or deep copy) of the mutable data before sending it to any code you don't fully control. This ensures the original data remains intact and valid, regardless of what the external method does. Always treat mutable data passed across trust boundaries as potentially hostile and isolate it through copying.
Real-world impact

Real-world CVEs caused by CWE-374

No public CVE references are linked to this CWE in MITRE's catalog yet.

How attackers exploit it

Step-by-step attacker path

  1. 1

    The following example demonstrates the weakness.

  2. 2

    In this example, bar and baz will be passed by reference to doOtherStuff() which may change them.

  3. 3

    In the following Java example, the BookStore class manages the sale of books in a bookstore, this class includes the member objects for the bookstore inventory and sales database manager classes. The BookStore class includes a method for updating the sales database and inventory when a book is sold. This method retrieves a Book object from the bookstore inventory object using the supplied ISBN number for the book class, then calls a method for the sales object to update the sales information and then calls a method for the inventory object to update inventory for the BookStore.

  4. 4

    However, in this example the Book object that is retrieved and passed to the method of the sales object could have its contents modified by the method. This could cause unexpected results when the book object is sent to the method for the inventory object to update the inventory.

  5. 5

    In the Java programming language arguments to methods are passed by value, however in the case of objects a reference to the object is passed by value to the method. When an object reference is passed as a method argument a copy of the object reference is made within the method and therefore both references point to the same object. This allows the contents of the object to be modified by the method that holds the copy of the object reference. [REF-374]

Vulnerable code example

Vulnerable C

The following example demonstrates the weakness.

Vulnerable C 
private:
  	int foo;
  	complexType bar;
  	String baz;
  	otherClass externalClass;
  public:
  	void doStuff() {
  		externalClass.doOtherStuff(foo, bar, baz)
  	}
Secure code example

Secure Java

To prevent the contents of the Book object from being modified, a copy of the Book object should be made before the method call to the sales object. In the following example a copy of the Book object is made using the clone() method and the copy of the Book object is passed to the method of the sales object. This will prevent any changes being made to the original Book object.

Secure Java 
...
  public void updateSalesAndInventoryForBookSold(String bookISBN) {
```
// Get book object from inventory using ISBN* 
  		Book book = inventory.getBookWithISBN(bookISBN);
  		
  		 *// Create copy of book object to make sure contents are not changed* 
  		Book bookSold = (Book) book.clone();
  		
  		 *// update sales information for book sold* 
  		sales.updateSalesInformation(bookSold);
  		
  		 *// update inventory* 
  		inventory.updateInventory(book);}
  ...
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Prevention checklist

How to prevent CWE-374

  • Implementation Pass in data which should not be altered as constant or immutable.
  • Implementation Clone all mutable data before passing it into an external function . This is the preferred mitigation. This way, regardless of what changes are made to the data, a valid copy is retained for use by the class.
Detection signals

How to detect CWE-374

SAST High

Run static analysis (SAST) on the codebase looking for the unsafe pattern in the data flow.

DAST Moderate

Run dynamic application security testing against the live endpoint.

Runtime Moderate

Watch runtime logs for unusual exception traces, malformed input, or authorization bypass attempts.

Code review Moderate

Code review: flag any new code that handles input from this surface without using the validated framework helpers.

Plexicus auto-fix

Plexicus auto-detects CWE-374 and opens a fix PR in under 60 seconds.

Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.

Get a demo Try Plexicus free
Frequently asked questions

Frequently asked questions

What is CWE-374?

This vulnerability occurs when a function receives a direct reference to mutable data, such as an object or array, instead of a safe copy of that data.

How serious is CWE-374?

MITRE rates the likelihood of exploit as Medium — exploitation is realistic but typically requires specific conditions.

What languages or platforms are affected by CWE-374?

MITRE lists the following affected platforms: C, C++, Java, C#.

How can I prevent CWE-374?

Pass in data which should not be altered as constant or immutable. Clone all mutable data before passing it into an external function . This is the preferred mitigation. This way, regardless of what changes are made to the data, a valid copy is retained for use by the class.

How does Plexicus detect and fix CWE-374?

Plexicus's SAST engine matches the data-flow signature for CWE-374 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.

Where can I learn more about CWE-374?

MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/374.html. You can also reference OWASP and NIST documentation for adjacent guidance.

Related weaknesses

Weaknesses related to CWE-374

CWE-668 Parent

Exposure of Resource to Wrong Sphere

This vulnerability occurs when an application unintentionally makes a resource accessible to users or systems that should not have…

CWE-1189 Sibling

Improper Isolation of Shared Resources on System-on-a-Chip (SoC)

This vulnerability occurs when a System-on-a-Chip (SoC) fails to properly separate shared hardware resources between secure (trusted) and…

CWE-1282 Sibling

Assumed-Immutable Data is Stored in Writable Memory

This vulnerability occurs when data that should be permanent and unchangeable—like a bootloader, device IDs, or one-time configuration…

CWE-1327 Sibling

Binding to an Unrestricted IP Address

This vulnerability occurs when software or a service is configured to bind to the IP address 0.0.0.0 (or :: in IPv6), which acts as a…

CWE-1331 Sibling

Improper Isolation of Shared Resources in Network On Chip (NoC)

This vulnerability occurs when a Network on Chip (NoC) fails to properly separate its internal, shared resources—like buffers, switches,…

CWE-134 Sibling

Use of Externally-Controlled Format String

This vulnerability occurs when a program uses a format string from an untrusted, external source (like user input, a network packet, or a…

CWE-200 Sibling

Exposure of Sensitive Information to an Unauthorized Actor

This weakness occurs when an application unintentionally reveals sensitive data to someone who shouldn't have access to it.

CWE-375 Sibling

Returning a Mutable Object to an Untrusted Caller

This vulnerability occurs when a method directly returns a reference to its internal mutable data, allowing untrusted calling code to…

CWE-377 Sibling

Insecure Temporary File

This vulnerability occurs when an application creates temporary files with insecure permissions or in predictable locations, allowing…

Resources

Further reading

Ready when you are

Don't Let Security
Weigh You Down.

Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.

Get started free Book a demo