The product calls a function that can never be guaranteed to work safely.
View on MITRECertain functions behave in dangerous ways regardless of how they are used. Functions in this category were often implemented without taking security concerns into account. The gets() function is unsafe because it does not perform bounds checking on the size of its input. An attacker can easily send arbitrarily-sized input to gets() and overflow the destination buffer. Similarly, the >> operator is unsafe to use when reading into a statically-allocated character array because it does not perform bounds checking on the size of its input. An attacker can easily send arbitrarily-sized input to the >> operator and overflow the destination buffer.
Ban the use of dangerous functions. Use their safe equivalent.
Use grep or static analysis tools to spot usage of dangerous functions.
No detection method information available for this CWE.
The code below calls gets() to read information into a buffer.
The gets() function in C is inherently unsafe.
The code below calls the gets() function to read in data from the command line.
However, gets() is inherently unsafe, because it copies all input from STDIN to the buffer without checking size. This allows the user to provide a string that is larger than the buffer size, resulting in an overflow condition.
FTP client uses inherently insecure gets() function and is setuid root on some systems, allowing buffer overflow
View DetailsNo relationship information available for this CWE.
CWE-242: Use of Inherently Dangerous Function is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product calls a function that can never be guaranteed to work safely. Certain functions behave in dangerous ways regardless of how they are used. Functions in this category were often implemented without taking security concerns into account. The gets() function is unsafe because it does not perform bounds checking on the size of its input. An attacker can easily send arbitrarily-sized input to gets() and overflow the destination buffer. Similarly, the >> operator is unsafe to use when reading into a statically-allocated character array because it does not perform bounds checking on the size of its input. An attacker can easily send arbitrarily-sized input to the >> operator and overflow the destination buffer.
If exploited, CWE-242 (Use of Inherently Dangerous Function) it can compromise Other, leading to outcomes such as Varies by Context.
Recommended mitigations for CWE-242 include: Ban the use of dangerous functions. Use their safe equivalent. Use grep or static analysis tools to spot usage of dangerous functions.
CWE-242 commonly affects C and C++. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
MITRE documents real CVEs mapped to CWE-242, including CVE-2007-4004. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
A CWE (Common Weakness Enumeration) like CWE-242 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.