CWE-595: Comparison of Object References Instead of Object Contents

VariantIncomplete

The product compares object references instead of the contents of the objects themselves, preventing it from detecting equivalent objects.

View on MITRE
Back to CWE Lookup

Extended Description

For example, in Java, comparing objects using == usually produces deceptive results, since the == operator compares object references rather than values; often, this means that using == for strings is actually comparing the strings' references, not their values.

Technical Details

Structure
Simple
Vulnerability Mapping
ALLOWED

Applicable To

Languages
JavaJavaScriptPHPNot Language-Specific
Platforms

Frequently Asked Questions

What is CWE-595: Comparison of Object References Instead of Object Contents?+

CWE-595: Comparison of Object References Instead of Object Contents is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product compares object references instead of the contents of the objects themselves, preventing it from detecting equivalent objects. For example, in Java, comparing objects using == usually produces deceptive results, since the == operator compares object references rather than values; often, this means that using == for strings is actually comparing the strings' references, not their values.

What are the security consequences of Comparison of Object References Instead of Object Contents?+

If exploited, CWE-595 (Comparison of Object References Instead of Object Contents) it can compromise Other, leading to outcomes such as Varies by Context.

How do you prevent or mitigate Comparison of Object References Instead of Object Contents?+

Recommended mitigations for CWE-595 include: In Java, use the equals() method to compare objects instead of the == operator. If using ==, it is important for performance reasons that your objects are created by a static factory, not by a constructor.

Which programming languages are affected by Comparison of Object References Instead of Object Contents?+

CWE-595 commonly affects Java, JavaScript, PHP and Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-595 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More