The Homeland Security Systems Engineering and Development Institute, sponsored by the Department of Homeland Security and operated by MITRE, has released the 2021 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses list.
These weaknesses are dangerous because they are often easy to find, exploit, and can allow adversaries to completely take over a system, steal data, or prevent an application from working. The CWE Top 25 is a valuable community resource that can help developers, testers, and users — as well as project managers, security researchers, and educators — provide insight into the most severe and current security weaknesses.
The major difference between the 2020 and 2021 CWE Top 25 lists is the continued transition to more specific weaknesses as opposed to abstract class-level weaknesses.
Significant downward movement from high-level classes included CWE-200: Exposure of Sensitive Information to an Unauthorized Actor; CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer; CWE-94: Improper Control of Generation of Code (‘Code Injection’); CWE-269: Improper Privilege Management; and CWE-732: Incorrect Permission Assignment for Critical Resource.
With the relative decline of class-level weaknesses, more specific CWEs have moved higher up in the rankings, such as CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’); CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’); CWE-434: Unrestricted Upload of File with Dangerous Type; CWE-306: Missing Authentication for Critical Function; CWE-502: Deserialization of Untrusted Data; CWE-862: Missing Authorization; and CWE-276: Incorrect Default Permissions.
Leveraging Real-World Data
To create the 2021 list, the CWE Team used a data-driven approach that leverages published Common Vulnerabilities and Exposures (CVE) data and related CWE mappings found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), as well as the Common Vulnerability Scoring System (CVSS) scores associated with each of the CVEs. A scoring formula was then applied to determine the level of prevalence and danger each weakness presents.
The 2021 CWE Top 25 leverages NVD data from the years 2019 and 2020, which consists of approximately 32,500 CVEs that are associated with a weakness. A scoring formula is used to calculate a ranked order of weaknesses which combines the frequency that a CWE is the root cause of a vulnerability with the projected severity of its exploitation. In both cases, the frequency and severity are normalized relative to the minimum and maximum values seen.
For more detailed information including methodology, rankings, scoring, and refined mappings, visit the CWE Top 25 page.
| Rank | ID | Name | Score | 2020 Rank Change |
|---|---|---|---|---|
| [1] | CWE-787 | Out-of-bounds Write | 65.93 | +1 |
| [2] | CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 46.84 | -1 |
| [3] | CWE-125 | Out-of-bounds Read | 24.9 | +1 |
| [4] | CWE-20 | Improper Input Validation | 20.47 | -1 |
| [5] | CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | 19.55 | +5 |
| [6] | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 19.54 | 0 |
| [7] | CWE-416 | Use After Free | 16.83 | +1 |
| [8] | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | 14.69 | +4 |
| [9] | CWE-352 | Cross-Site Request Forgery (CSRF) | 14.46 | 0 |
| [10] | CWE-434 | Unrestricted Upload of File with Dangerous Type | 8.45 | +5 |
| [11] | CWE-306 | Missing Authentication for Critical Function | 7.93 | +13 |
| [12] | CWE-190 | Integer Overflow or Wraparound | 7.12 | -1 |
| [13] | CWE-502 | Deserialization of Untrusted Data | 6.71 | +8 |
| [14] | CWE-287 | Improper Authentication | 6.58 | 0 |
| [15] | CWE-476 | NULL Pointer Dereference | 6.54 | -2 |
| [16] | CWE-798 | Use of Hard-coded Credentials | 6.27 | +4 |
| [17] | CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | 5.84 | -12 |
| [18] | CWE-862 | Missing Authorization | 5.47 | +7 |
| [19] | CWE-276 | Incorrect Default Permissions | 5.09 | +22 |
| [20] | CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 4.74 | -13 |
| [21] | CWE-522 | Insufficiently Protected Credentials | 4.21 | -3 |
| [22] | CWE-732 | Incorrect Permission Assignment for Critical Resource | 4.2 | -6 |
| [23] | CWE-611 | Improper Restriction of XML External Entity Reference | 4.02 | -4 |
| [24] | CWE-918 | Server-Side Request Forgery (SSRF) | 3.78 | +3 |
| [25] | CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') | 3.58 | +6 |
