CWE-477 Base Draft

Use of Obsolete Function

This vulnerability occurs when code relies on deprecated or obsolete functions, indicating outdated practices and insufficient maintenance that can introduce security gaps.

Definition

What is CWE-477?

This vulnerability occurs when code relies on deprecated or obsolete functions, indicating outdated practices and insufficient maintenance that can introduce security gaps.
Programming languages evolve, and functions become obsolete for several key reasons: language advancements, better understanding of secure and efficient operations, and shifting conventions. These deprecated functions are typically replaced by newer, more secure alternatives designed to perform the same tasks more effectively. Using obsolete functions is a clear signal that code hasn't been actively reviewed or updated. This neglect can expose applications to unnecessary risks, as newer functions often address known security flaws, performance issues, or compatibility problems present in their older counterparts.
Real-world impact

Real-world CVEs caused by CWE-477

No public CVE references are linked to this CWE in MITRE's catalog yet.

How attackers exploit it

Step-by-step attacker path

  1. 1

    The following code uses the deprecated function getpw() to verify that a plaintext password matches a user's encrypted password. If the password is valid, the function sets result to 1; otherwise it is set to 0.

  2. 2

    Although the code often behaves correctly, using the getpw() function can be problematic from a security standpoint, because it can overflow the buffer passed to its second parameter. Because of this vulnerability, getpw() has been supplanted by getpwuid(), which performs the same lookup as getpw() but returns a pointer to a statically-allocated structure to mitigate the risk. Not all functions are deprecated or replaced because they pose a security risk. However, the presence of an obsolete function often indicates that the surrounding code has been neglected and may be in a state of disrepair. Software security has not been a priority, or even a consideration, for very long. If the program uses deprecated or obsolete functions, it raises the probability that there are security problems lurking nearby.

  3. 3

    In the following code, the programmer assumes that the system always has a property named "cmd" defined. If an attacker can control the program's environment so that "cmd" is not defined, the program throws a null pointer exception when it attempts to call the "Trim()" method.

  4. 4

    The following code constructs a string object from an array of bytes and a value that specifies the top 8 bits of each 16-bit Unicode character.

  5. 5

    In this example, the constructor may not correctly convert bytes to characters depending upon which charset is used to encode the string represented by nameBytes. Due to the evolution of the charsets used to encode strings, this constructor was deprecated and replaced by a constructor that accepts as one of its parameters the name of the charset used to encode the bytes for conversion.

Vulnerable code example

Vulnerable C

The following code uses the deprecated function getpw() to verify that a plaintext password matches a user's encrypted password. If the password is valid, the function sets result to 1; otherwise it is set to 0.

Vulnerable C 
...
  getpw(uid, pwdline);
  for (i=0; i<3; i++){
  	cryptpw=strtok(pwdline, ":");
  	pwdline=0;
  }
  result = strcmp(crypt(plainpw,cryptpw), cryptpw) == 0;
  ...
Secure code example

Secure pseudo

Secure pseudo 
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Prevention checklist

How to prevent CWE-477

  • Implementation Refer to the documentation for the obsolete function in order to determine why it is deprecated or obsolete and to learn about alternative ways to achieve the same functionality.
  • Requirements Consider seriously the security implications of using an obsolete function. Consider using alternate functions.
Detection signals

How to detect CWE-477

Automated Static Analysis - Binary or Bytecode High

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Binary / Bytecode Quality Analysis ``` Cost effective for partial coverage: ``` Bytecode Weakness Analysis - including disassembler + source code weakness analysis

Manual Static Analysis - Binary or Bytecode SOAR Partial

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies

Dynamic Analysis with Manual Results Interpretation High

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Debugger

Manual Static Analysis - Source Code High

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Manual Source Code Review (not inspections) ``` Cost effective for partial coverage: ``` Focused Manual Spotcheck - Focused manual analysis of source

Automated Static Analysis - Source Code High

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Source Code Quality Analyzer Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer

Automated Static Analysis High

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Origin Analysis

Plexicus auto-fix

Plexicus auto-detects CWE-477 and opens a fix PR in under 60 seconds.

Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.

Get a demo Try Plexicus free
Frequently asked questions

Frequently asked questions

What is CWE-477?

This vulnerability occurs when code relies on deprecated or obsolete functions, indicating outdated practices and insufficient maintenance that can introduce security gaps.

How serious is CWE-477?

MITRE has not published a likelihood-of-exploit rating for this weakness. Treat it as medium-impact until your threat model proves otherwise.

What languages or platforms are affected by CWE-477?

MITRE has not specified affected platforms for this CWE — it can apply across most application stacks.

How can I prevent CWE-477?

Refer to the documentation for the obsolete function in order to determine why it is deprecated or obsolete and to learn about alternative ways to achieve the same functionality. Consider seriously the security implications of using an obsolete function. Consider using alternate functions.

How does Plexicus detect and fix CWE-477?

Plexicus's SAST engine matches the data-flow signature for CWE-477 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.

Where can I learn more about CWE-477?

MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/477.html. You can also reference OWASP and NIST documentation for adjacent guidance.

Related weaknesses

Weaknesses related to CWE-477

CWE-710 Parent

Improper Adherence to Coding Standards

This weakness occurs when developers don't consistently follow established coding standards and best practices, which can introduce…

CWE-1041 Sibling

Use of Redundant Code

This weakness occurs when a codebase contains identical or nearly identical logic duplicated across multiple functions, methods, or…

CWE-1044 Sibling

Architecture with Number of Horizontal Layers Outside of Expected Range

This occurs when a software system is built with either too many or too few distinct architectural layers, falling outside a recommended…

CWE-1048 Sibling

Invokable Control Element with Large Number of Outward Calls

This weakness occurs when a single function, method, or callable code block makes an excessively high number of calls to other objects or…

CWE-1059 Sibling

Insufficient Technical Documentation

This weakness occurs when a software or hardware product lacks comprehensive technical documentation. Missing or incomplete details about…

CWE-1061 Sibling

Insufficient Encapsulation

This weakness occurs when a software component exposes too much of its internal workings, such as data structures or implementation logic.…

CWE-1065 Sibling

Runtime Resource Management Control Element in a Component Built to Run on Application Servers

This weakness occurs when an application built to run on a managed application server bypasses the server's high-level APIs and instead…

CWE-1066 Sibling

Missing Serialization Control Element

This weakness occurs when a class or data structure is marked as serializable but lacks the required control methods to properly handle…

CWE-1068 Sibling

Inconsistency Between Implementation and Documented Design

This weakness occurs when the actual code implementation deviates from the intended design described in its official documentation,…

Resources

Further reading

Ready when you are

Don't Let Security
Weigh You Down.

Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.