CWE Top 25 for 2024: XSS, SQLi, buffer overflows top the list
The 2024 CWE Top 25 is a list of the most dangerous software weaknesses that resulted in reported high-severity vulnerabilities in the period of mid-2023 to mid-2024. Despite some methodology changes since 2023, the same weaknesses still occupy the top three spots: cross-site scripting (XSS), buffer overflows, and SQL injection. Let’s look at how the CWE Top 25 is compiled, what has changed since last year, and what the practical takeaways are for ensuring software security.
The full top 25 list is a bit daunting and the assigned scores don’t change all that much once you get past the top offenders, so let’s start with just the top 10 to see what really matters:
Top 10 CWEs for 2024
- #1: Cross-site scripting (XSS, officially Improper Neutralization of Input During Web Page Generation, CWE-79, score: 56.92)
- #2: Buffer overflows (officially Out-of-bounds Write, CWE-787, score: 45.20)
- #3: SQL injection (officially Improper Neutralization of Special Elements used in an SQL Command, CWE-89, score: 35.88)
- #4: Cross-site request forgery (CSRF, CWE-352, score: 19.57)
- #5: Path traversal (officially Improper Limitation of a Pathname to a Restricted Directory, CWE-22, score: 12.74)
- #6: Out-of-bounds read (CWE-125, score: 11.42)
- #7: OS command injection (officially Improper Neutralization of Special Elements used in an OS Command, CWE-78, score: 11.30)
- #8: Use after free (CWE-416, score: 10.19)
- #9: Missing authorization (CWE-862, score: 10.11, the only top 10 newcomer)
- #10: Unrestricted upload of file with dangerous type (CWE-434, score: 10.03)
Web vulnerabilities and memory management flaws hog the limelight
While a number of reshuffles have taken place in the lower part of the list, the highest-scoring weaknesses are basically unchanged since 2023, with Missing Authorization being the only newcomer to the top 10 (replacing Improper Input Validation, which moved down slightly to #12). Looking at the scores, the top three weaknesses are way ahead of the rest:
- Cross-site scripting (XSS): A web-only weakness covering any type of software flaw that lets an attacker execute unwanted scripts in the user’s browser, including reflected XSS, stored XSS, and DOM-based XSS.
- Buffer overflows: The official name “Out-of-bounds Write” covers a variety of security flaws that enable code to write to memory addresses outside its intended block (buffer), including buffer overflows, buffer underflows, and arbitrary writes.
- SQL injection: Allows an attacker to execute database commands by injecting SQL statements into the application via unsanitized inputs. SQL injections are nearly always web-based attacks.
Notably, four of the top five weaknesses represent typical web application vulnerabilities, confirming that web-based software appears in the vast majority of high-impact attacks and attack chains. But it’s not a sports tournament, so the rankings are not as important as how all those numbers are calculated and what they actually tell us.
How CWE Top 25 scores are calculated
The full CWE database (maintained by the MITRE Corporation) provides a taxonomy of all possible software and hardware weaknesses that can lead to security vulnerabilities (CVEs) if exploited and reported. The CWE Top 25 is compiled by analyzing CVE reports over a given period and determining the weaknesses that resulted in those vulnerabilities. Each weakness is then assigned a danger score that is a product of the frequency and average CVSS score of its corresponding vulnerabilities (full methodology here).
Because the final score is calculated by multiplying prevalence by severity, the highest scorers in the CWE Top 25 are weaknesses that frequently lead to severe vulnerabilities. In other words, a weakness that results in severe but rare CVEs and one that results in frequent but low-severity CVEs will both get a low danger score.
CWEs form a complex structure with nested hierarchies and cross-links, muddying the picture for high-level analysis. The CWE Top 25 team mapped all the weaknesses identified in the CVEs being analyzed to a simplified collection of 130 major CWEs and worked with that dataset, often reducing families of related CWEs to the broadest meaningful root cause. In contrast to the two previous editions, the CWE Top 25 for 2024 does not separately count weakness chains but, instead, accounts for all CWEs in a given chain. This would explain why Improper Input Validation has moved down the list despite potentially appearing alongside multiple top 10 items in attack chains.
Major themes in the 2024 CWE Top 25
All the top 25 weaknesses can be broadly assigned to one of three informal categories that tell us a lot about the most vulnerable aspects of the software development process. Interestingly, while the specific CWEs are slightly different than in the previous edition, the number of weaknesses per category remains unchanged:
- Working with untrusted inputs (11 CWEs, 60% of the total danger score): Any time you’re dealing with input data that could be controlled by an attacker, you have a potential security risk. This includes not just inputs directly received in requests but also file uploads and deserialization of untrusted data.
- Memory management errors (6 CWEs, 26% of the total danger score): While restricted to programming languages with direct memory access (usually C/C++), insecure memory operations are the #1 avenue for remote code execution, giving such weaknesses and the resulting CVEs a high severity.
- Access management issues (8 CWEs, 14% of the total danger score): From improper authentication and authorization failures at various levels to exposing sensitive information or failing to limit resource consumption, ensuring correct and secure access to systems and resources is vital to limit exposure to attacks and minimize impact.
Using the CWE Top 25 for 2024 in practice
If nothing else, the CWE top 25 serves as yet another reminder that while chasing the latest and greatest in tech and cybersecurity is always more exciting and newsworthy (looking at you, AI), the majority of high-impact application security incidents are still caused by the oldest security weaknesses known to mankind: XSS, SQL injection, and memory management bugs.
The good news is that if you double down on the three major weakness categories and ensure they are an integral part of your application security program, you can mitigate a lot of risk with relatively little effort:
- In all software development, treat all incoming data as untrusted and validate it before use. This includes all types of user inputs and file uploads, database queries (to prevent SQL injection), and even local resources like server logs (to prevent deserialization attacks). Use a high-quality app and API vulnerability scanner to find existing vulnerabilities and prevent similar flaws in the future.
- If you write or maintain C/C++ software, enforce the use of secure memory management routines and make checking them a separate item in your code reviews, QA, and security testing. This is especially important with software for embedded systems and network appliances that are easy to target but hard to maintain and patch.
- For all your applications and especially for APIs, incorporate fine-grained access controls at the level of data, application objects, and functions already during design. All resources should (ideally) have a defined, enforced, and tested level of authentication and authorization across all possible access avenues.
So rather than seeing the CWE Top 25 as the same old issues that just won’t go away, think of it as your guide to prioritizing developer training and security testing—and because it’s ranked by real-world impact, a little effort can go a long way to making real-life improvements to your security posture.