Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
CWE-607 Variant Draft
Public Static Final Field References Mutable Object
This vulnerability occurs when a class exposes a public or protected static final field that points to a changeable object. Because the field's reference is constant but the object itself is not,…
Definition
What is CWE-607?
This vulnerability occurs when a class exposes a public or protected static final field that points to a changeable object. Because the field's reference is constant but the object itself is not, malicious code or even accidental code in other packages can modify the object's contents, violating the intended immutability.
The core issue is a misunderstanding of the `final` keyword in Java and similar languages. When applied to an object reference, `final` only guarantees that the reference itself cannot be reassigned to point to a different object. It does not protect the internal state of the object that the reference points to. If that object is mutable—like an array, a collection, or a custom class with public setters—its data can be freely altered, even through the `static final` field.
To prevent this, developers must ensure true immutability. This involves either assigning the static final field to an inherently immutable object (like a `String` or a boxed primitive) or defensively wrapping mutable objects. For collections, use `Collections.unmodifiableList()`, `Map.copyOf()`, or similar methods to create an unmodifiable view or a deep copy before assignment. This practice encapsulates the mutable data and enforces the read-only intent of the public static field.
Real-world impact
Real-world CVEs caused by CWE-607
No public CVE references are linked to this CWE in MITRE's catalog yet.
How attackers exploit it
Step-by-step attacker path
- 1
Identify a code path that handles untrusted input without validation.
- 2
Craft a payload that exercises the unsafe behavior — injection, traversal, overflow, or logic abuse.
- 3
Deliver the payload through a normal request and observe the application's reaction.
- 4
Iterate until the response leaks data, executes attacker code, or escalates privileges.
Vulnerable code example
Vulnerable Java
Here, an array (which is inherently mutable) is labeled public static final.
public static final String[] USER_ROLES; Secure code example
Secure pseudo
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
const safe = validateAndEscape(input);
return executeWithGuards(safe);
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Prevention checklist
How to prevent CWE-607
- Implementation Protect mutable objects by making them private. Restrict access to the getter and setter as well.
Detection signals
How to detect CWE-607
Plexicus auto-detects CWE-607 and opens a fix PR in under 60 seconds.
Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.
Frequently asked questions What is CWE-607?
How serious is CWE-607?
What languages or platforms are affected by CWE-607?
How can I prevent CWE-607?
How does Plexicus detect and fix CWE-607?
Where can I learn more about CWE-607?
Frequently asked questions
What is CWE-607?
This vulnerability occurs when a class exposes a public or protected static final field that points to a changeable object. Because the field's reference is constant but the object itself is not, malicious code or even accidental code in other packages can modify the object's contents, violating the intended immutability.
How serious is CWE-607?
MITRE has not published a likelihood-of-exploit rating for this weakness. Treat it as medium-impact until your threat model proves otherwise.
What languages or platforms are affected by CWE-607?
MITRE lists the following affected platforms: Java.
How can I prevent CWE-607?
Protect mutable objects by making them private. Restrict access to the getter and setter as well.
How does Plexicus detect and fix CWE-607?
Plexicus's SAST engine matches the data-flow signature for CWE-607 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.
Where can I learn more about CWE-607?
MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/607.html. You can also reference OWASP and NIST documentation for adjacent guidance.
Related weaknesses
Weaknesses related to CWE-607
CWE-471 Parent
Modification of Assumed-Immutable Data (MAID)
This vulnerability occurs when an application fails to protect data it assumes cannot be changed, allowing an attacker to alter it.
CWE-472 Sibling
External Control of Assumed-Immutable Web Parameter
This vulnerability occurs when a web application incorrectly trusts data that appears to be fixed or hidden from the user, such as values…
CWE-473 Sibling
PHP External Variable Modification
This vulnerability occurs when a PHP application fails to properly validate or sanitize variables that originate from outside the…
Ready when you are
Don't Let Security
Weigh You Down.
Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.