Run static analysis (SAST) on the codebase looking for the unsafe pattern in the data flow.
CWE-650 Variant Incomplete
Trusting HTTP Permission Methods on the Server Side
This vulnerability occurs when a server incorrectly assumes that HTTP GET requests are always safe and cannot change server-side data. Attackers can exploit this flawed assumption to bypass security…
Definition
What is CWE-650?
This vulnerability occurs when a server incorrectly assumes that HTTP GET requests are always safe and cannot change server-side data. Attackers can exploit this flawed assumption to bypass security controls and perform unauthorized actions like modifying or deleting resources.
HTTP methods like GET are designed by specification to retrieve information without side effects, leading developers to sometimes rely on them as a security boundary. The problem is that the protocol itself doesn't enforce this; it's entirely up to the application code. Developers can—and often do—program their endpoints to accept GET requests that create, update, or delete data, especially in REST APIs. If access controls are only checked for methods like POST, PUT, or DELETE, attackers can simply use a GET request to perform the same dangerous actions.
You must enforce authorization checks based on the user's permissions and the action's intent, not the HTTP method used. Never assume that POST, PUT, or DELETE are the only methods capable of altering state. Your security logic should validate every request, regardless of whether it's a GET or another method, to ensure the user is authorized for the specific operation they are trying to perform.
Real-world impact
Real-world CVEs caused by CWE-650
No public CVE references are linked to this CWE in MITRE's catalog yet.
How attackers exploit it
Step-by-step attacker path
- 1
Identify a code path that handles untrusted input without validation.
- 2
Craft a payload that exercises the unsafe behavior — injection, traversal, overflow, or logic abuse.
- 3
Deliver the payload through a normal request and observe the application's reaction.
- 4
Iterate until the response leaks data, executes attacker code, or escalates privileges.
Vulnerable code example
Vulnerable pseudo
MITRE has not published a code example for this CWE. The pattern below is illustrative — see Resources for canonical references.
// Example pattern — see MITRE for the canonical references.
function handleRequest(input) {
// Untrusted input flows directly into the sensitive sink.
return executeUnsafe(input);
} Secure code example
Secure pseudo
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
const safe = validateAndEscape(input);
return executeWithGuards(safe);
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Prevention checklist
How to prevent CWE-650
- System Configuration Configure ACLs on the server side to ensure that proper level of access control is defined for each accessible resource representation.
Detection signals
How to detect CWE-650
Run dynamic application security testing against the live endpoint.
Watch runtime logs for unusual exception traces, malformed input, or authorization bypass attempts.
Code review: flag any new code that handles input from this surface without using the validated framework helpers.
Plexicus auto-detects CWE-650 and opens a fix PR in under 60 seconds.
Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.
Frequently asked questions What is CWE-650?
How serious is CWE-650?
What languages or platforms are affected by CWE-650?
How can I prevent CWE-650?
How does Plexicus detect and fix CWE-650?
Where can I learn more about CWE-650?
Frequently asked questions
What is CWE-650?
This vulnerability occurs when a server incorrectly assumes that HTTP GET requests are always safe and cannot change server-side data. Attackers can exploit this flawed assumption to bypass security controls and perform unauthorized actions like modifying or deleting resources.
How serious is CWE-650?
MITRE rates the likelihood of exploit as High — this weakness is actively exploited in the wild and should be prioritized for remediation.
What languages or platforms are affected by CWE-650?
MITRE has not specified affected platforms for this CWE — it can apply across most application stacks.
How can I prevent CWE-650?
Configure ACLs on the server side to ensure that proper level of access control is defined for each accessible resource representation.
How does Plexicus detect and fix CWE-650?
Plexicus's SAST engine matches the data-flow signature for CWE-650 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.
Where can I learn more about CWE-650?
MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/650.html. You can also reference OWASP and NIST documentation for adjacent guidance.
Related weaknesses
Weaknesses related to CWE-650
CWE-436 Parent
Interpretation Conflict
An interpretation conflict occurs when two systems process the same data or sequence of events differently, leading one system to make…
CWE-113 Sibling
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
This vulnerability occurs when an application accepts user-supplied data and includes it directly in HTTP headers without properly…
CWE-115 Sibling
Misinterpretation of Input
This vulnerability occurs when software incorrectly interprets or processes input data, leading to unintended and potentially harmful…
CWE-437 Sibling
Incomplete Model of Endpoint Features
This vulnerability occurs when a security product, proxy, or monitoring system sits between endpoints but lacks a full understanding of…
CWE-444 Sibling
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
This weakness occurs when a proxy, firewall, or other intermediary HTTP agent interprets a malformed HTTP request or response differently…
CWE-626 Sibling
Null Byte Interaction Error (Poison Null Byte)
This vulnerability occurs when software incorrectly processes null bytes (NUL characters) as data moves between different systems or…
CWE-86 Sibling
Improper Neutralization of Invalid Characters in Identifiers in Web Pages
This vulnerability occurs when an application fails to properly filter or escape invalid characters within web identifiers like HTML tag…
Ready when you are
Don't Let Security
Weigh You Down.
Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.