CWE Top 25 Most Dangerous Software Weaknesses for 2022 Announced
On June 28, the Common Weakness Enumeration team announced the release of 2022’s Top 25 Most Dangerous Software Weaknesses list. Out-of-bounds writes, cross-site scripting (XSS), and SQL injection are among this year’s CWE Top 25 vulnerabilities.
Software flaws are selected for the CWE Top 25 based on their potential to cause damage and their pervasiveness. Attackers “can often exploit these vulnerabilities to take control of an affected system, obtain sensitive information, or cause a Denial-of-Service condition,” the Cybersecurity and Infrastructure Agency said in its announcement of the release.
This year’s CWE Top 25 was developed using over 37,000 entries from the publicly available National Vulnerability Database, covering the previous two calendar years. Software weaknesses are rated based on severity and frequency to determine where they fall on the list.
Out-of-bounds writes and XSS have now taken the top two spots on the list for three years running, while SQL injection jumped from sixth place—which it had held for the previous two years—to third.
CWE Top 25 Most Dangerous Software Weaknesses for 2022
1. Out-of-bounds write
2. Cross-site scripting
3. SQL injection
4. Improper input validation
5. Out-of-bounds read
6. OS command injection
7. Use after free
8. Path traversal
9. Cross-site request forgery (CSRF)
10. Unrestricted upload of file with
11. NULL pointer dereference
12. Deserialization of untrusted data
13. Integer overflow or wraparound
14. Improper authentication
15. Use of hard-coded credentials
16. Missing authorization
17. Command injection
18. Missing authentication for critical function
19. Improper restriction of operations within the bounds of a memory buffer
20. Incorrect Default Permissions
21. Server-Side Request Forgery (SSRF)
22. Race Condition
23. Uncontrolled resource consumption
24. Improper restriction of XML external entity reference
25. Code injection
“As with past years, there is a continued transition in the Top 25 to more specific base-level weaknesses,” the CWE team noted in its analysis of this year’s changes, adding that there’s also been “a slow decline in the number of unique class-level weaknesses.”
Class-level weaknesses are relatively high level and generally aren’t limited to a particular language or technology, while base-level weaknesses are defined with enough detail to indicate specific detection and prevention methods. By increasing the CWE Top 25’s emphasis on base-level weaknesses, the CWE program hopes to help software professionals looking for concrete ways to mitigate cyber risk.
“The program’s goal is that this trend will benefit users attempting to better understand and address the issues that threaten today’s systems at a more operational level,” said the CWE team. “Base-level weaknesses are more informative and conducive to practical mitigation than higher, class-level weaknesses.”
The CWE Top 25 list is released each year by the Homeland Security Systems Engineering and Development Institute, which is sponsored by CISA and operated by the MITRE Corporation. To read the full 2022 CWE Top 25 list and analysis, visit https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html
Lev Craig is an editor at EC-Council covering cybersecurity, blockchain, and DevOps. Before joining EC-Council, Lev worked as a freelance writer and editor in a range of areas in tech, including AI and machine learning, software development, and data privacy. Lev graduated from Harvard University in 2016 with a B.A. in English and lives in New York’s Hudson River Valley.
Common Weakness Enumeration Team. (2020). 2020 CWE top 25 most dangerous software weaknesses. https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html
Common Weakness Enumeration Team. (2021). 2021 CWE top 25 most dangerous software weaknesses. https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html
Common Weakness Enumeration Team. (2022). 2022 CWE top 25 most dangerous software weaknesses. https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html
The MITRE Corporation. (n.d.). Base weakness. In CWE glossary. Retrieved June 29, 2022, from https://cwe.mitre.org/documents/glossary/#Base%20Weakness
The MITRE Corporation. (n.d.). Class weakness. In CWE glossary. Retrieved June 29, 2022, from https://cwe.mitre.org/documents/glossary/#Class%20Weakness