CWE-669 Class Draft

Incorrect Resource Transfer Between Spheres

Definition

What is CWE-669?

This vulnerability occurs when an application incorrectly moves or shares a resource (like data, permissions, or functionality) between different trust boundaries or security contexts. This improper transfer can give unintended actors control over that resource, leading to security breaches.

Think of your application as having separate, secure zones—like a user interface (client-side), a backend server, and an administrative panel. Each zone has its own level of trust and permitted actions. This weakness happens when a resource, such as a user session, a file handle, or an administrative function, is mistakenly allowed to cross from a less-trusted zone into a more-trusted one, or is imported without proper validation. For example, a web application might incorrectly accept and process a user-supplied file path as if it originated from the secure server itself, allowing an attacker to access sensitive system files. To prevent this, developers must enforce strict boundaries between different spheres of control. Always validate and sanitize any resource that moves between contexts, explicitly check the origin of requests, and implement the principle of least privilege so that resources can only be used within their intended security scope. Auditing data flows and trust transitions in your architecture is key to identifying and fixing these improper transfers.

Real-world impact

Real-world CVEs caused by CWE-669

CVE-2021-22909

Chain: router's firmware update procedure uses curl with "-k" (insecure) option that disables certificate validation (CWE-295), allowing adversary-in-the-middle (AITM) compromise with a malicious firmware image (CWE-494).
CVE-2023-5227

PHP-based FAQ management app does not check the MIME type for uploaded images
CVE-2005-0406

Some image editors modify a JPEG image, but the original EXIF thumbnail image is left intact within the JPEG. (Also an interaction error).

How attackers exploit it

Step-by-step attacker path

1
The following code demonstrates the unrestricted upload of a file with a Java servlet and a path traversal vulnerability. The action attribute of an HTML form is sending the upload file request to the Java servlet.
2
When submitted the Java servlet's doPost method will receive the request, extract the name of the file from the Http request header, read the file contents from the request and output the file to the local upload directory.
3
This code does not perform a check on the type of the file being uploaded (CWE-434). This could allow an attacker to upload any executable file or other file with malicious code.
4
Additionally, the creation of the BufferedWriter object is subject to relative path traversal (CWE-23). Since the code does not check the filename that is provided in the header, an attacker can use "../" sequences to write to files outside of the intended directory. Depending on the executing environment, the attacker may be able to specify arbitrary files to write to, leading to a wide variety of consequences, from code execution, XSS (CWE-79), or system crash.
5
This code includes an external script to get database credentials, then authenticates a user against the database, allowing access to the application.

Vulnerable code example

Vulnerable Java

When submitted the Java servlet's doPost method will receive the request, extract the name of the file from the Http request header, read the file contents from the request and output the file to the local upload directory.

Vulnerable Java

public class FileUploadServlet extends HttpServlet {
  		...
  		protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
  				response.setContentType("text/html");
  				PrintWriter out = response.getWriter();
  				String contentType = request.getContentType();
  				// the starting position of the boundary header
  				int ind = contentType.indexOf("boundary=");
  				String boundary = contentType.substring(ind+9);
  				String pLine = new String();
  				String uploadLocation = new String(UPLOAD_DIRECTORY_STRING); //Constant value
  				// verify that content type is multipart form data
  				if (contentType != null && contentType.indexOf("multipart/form-data") != -1) {
  						// extract the filename from the Http header
  						BufferedReader br = new BufferedReader(new InputStreamReader(request.getInputStream()));
  						...
  						pLine = br.readLine();
  						String filename = pLine.substring(pLine.lastIndexOf("\\"), pLine.lastIndexOf("\""));
  						...
  						// output the file to the local upload directory
  						try {
  								BufferedWriter bw = new BufferedWriter(new FileWriter(uploadLocation+filename, true));
  								for (String line; (line=br.readLine())!=null; ) {
  									if (line.indexOf(boundary) == -1) {
  										bw.write(line);
  										bw.newLine();
  										bw.flush();
  									}
  								} //end of for loop
  								bw.close();
  						} catch (IOException ex) {...}
  						// output successful upload response HTML page
  				}
  				// output unsuccessful upload response HTML page
  				else
  				{...}
  		}
  			...
  }

Secure code example

Secure HTML

The following code demonstrates the unrestricted upload of a file with a Java servlet and a path traversal vulnerability. The action attribute of an HTML form is sending the upload file request to the Java servlet.

Secure HTML

<form action="FileUploadServlet" method="post" enctype="multipart/form-data">
  Choose a file to upload:
  <input type="file" name="filename"/>
  <br/>
  <input type="submit" name="submit" value="Submit"/>
  </form>

What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.

Prevention checklist

How to prevent CWE-669

Architecture Use safe-by-default frameworks and APIs that prevent the unsafe pattern from being expressible.
Implementation Validate input at trust boundaries; use allowlists, not denylists.
Implementation Apply the principle of least privilege to credentials, file paths, and runtime permissions.
Testing Cover this weakness in CI: SAST rules + targeted unit tests for the data flow.
Operation Monitor logs for the runtime signals listed in the next section.

Detection signals

How to detect CWE-669

SAST High

Run static analysis (SAST) on the codebase looking for the unsafe pattern in the data flow.

DAST Moderate

Run dynamic application security testing against the live endpoint.

Runtime Moderate

Watch runtime logs for unusual exception traces, malformed input, or authorization bypass attempts.

Code review Moderate

Code review: flag any new code that handles input from this surface without using the validated framework helpers.

Plexicus auto-fix

Plexicus auto-detects CWE-669 and opens a fix PR in under 60 seconds.

Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.

Get a demo Try Plexicus free

Frequently asked questions

What is CWE-669?

How serious is CWE-669?

MITRE has not published a likelihood-of-exploit rating for this weakness. Treat it as medium-impact until your threat model proves otherwise.

What languages or platforms are affected by CWE-669?

MITRE has not specified affected platforms for this CWE — it can apply across most application stacks.

How can I prevent CWE-669?

Use safe-by-default frameworks, validate untrusted input at trust boundaries, and apply the principle of least privilege. Cover the data-flow signature in CI with SAST.

How does Plexicus detect and fix CWE-669?

Plexicus's SAST engine matches the data-flow signature for CWE-669 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.

Where can I learn more about CWE-669?

MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/669.html. You can also reference OWASP and NIST documentation for adjacent guidance.

Related weaknesses

Weaknesses related to CWE-669

CWE-664 Parent

Don't Let Security
Weigh You Down.

Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.

Incorrect Resource Transfer Between Spheres

What is CWE-669?

Real-world CVEs caused by CWE-669

Step-by-step attacker path

Vulnerable Java

Secure HTML

How to prevent CWE-669

How to detect CWE-669

Plexicus auto-detects CWE-669 and opens a fix PR in under 60 seconds.

Frequently asked questions

Weaknesses related to CWE-669

Improper Control of a Resource Through its Lifetime

Incorrect Access of Indexable Resource ('Range Error')

Creation of Emergent Resource

Improper Preservation of Consistency Between Independent Representations of Shared State

Reliance on Component That is Not Updateable

Information Loss or Omission

Incomplete Internal State Distinction

Uncontrolled Resource Consumption

Improper Resource Shutdown or Release

Further reading

Don't Let Security
Weigh You Down.

Incorrect Resource Transfer Between Spheres

What is CWE-669?

Real-world CVEs caused by CWE-669

Step-by-step attacker path

Vulnerable Java

Secure HTML

How to prevent CWE-669

How to detect CWE-669

Plexicus auto-detects CWE-669 and opens a fix PR in under 60 seconds.

Frequently asked questions

Weaknesses related to CWE-669

Improper Control of a Resource Through its Lifetime

Incorrect Access of Indexable Resource ('Range Error')

Creation of Emergent Resource

Improper Preservation of Consistency Between Independent Representations of Shared State

Reliance on Component That is Not Updateable

Information Loss or Omission

Incomplete Internal State Distinction

Uncontrolled Resource Consumption

Improper Resource Shutdown or Release

Further reading

Don't Let SecurityWeigh You Down.

Don't Let Security
Weigh You Down.