CWE-134: Use of Externally-Controlled Format String

BaseDraftExploit Likelihood: High

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

View on MITRE
Back to CWE Lookup

Technical Details

Structure
Simple

Applicable To

Languages
CC++Perl
Platforms

Frequently Asked Questions

What is CWE-134: Use of Externally-Controlled Format String?+

CWE-134: Use of Externally-Controlled Format String is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

What are the security consequences of Use of Externally-Controlled Format String?+

If exploited, CWE-134 (Use of Externally-Controlled Format String) it can compromise Confidentiality, Integrity and Availability, leading to outcomes such as Read Memory, Modify Memory and Execute Unauthorized Code or Commands.

How do you prevent or mitigate Use of Externally-Controlled Format String?+

Recommended mitigations for CWE-134 include: Choose a language that is not subject to this flaw. Ensure that all format string functions are passed a static string which cannot be controlled by the user, and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings. [REF-116] [REF-117] Run compilers and linkers with high warning levels, since they may detect incorrect usage.

How is Use of Externally-Controlled Format String detected?+

CWE-134 can be detected using Black Box, Automated Static Analysis - Binary or Bytecode, Manual Static Analysis - Source Code, Automated Static Analysis - Source Code and Architecture or Design Review. Combining automated tooling with manual review typically yields the best coverage.

Which programming languages are affected by Use of Externally-Controlled Format String?+

CWE-134 commonly affects C, C++ and Perl. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Use of Externally-Controlled Format String?+

MITRE documents real CVEs mapped to CWE-134, including CVE-2002-1825, CVE-2001-0717, CVE-2002-0573, CVE-2002-1788 and CVE-2006-2480. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-134 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More