Skip to content

CWE-829: Inclusion of Functionality from Untrusted Control Sphere

Overview

This vulnerability occurs when an application includes code, libraries, or functionality from untrusted sources, allowing attackers to introduce malicious behavior or compromise the system.

OWASP Classification

A08:2025 - Software or Data Integrity Failures

Risk

Critical: Attackers can execute arbitrary code, steal data, or escalate privileges by injecting malicious functionality into the application.

Remediation Steps

Core principle: Never execute or load functionality from sources whose integrity and provenance are not explicitly verified; all executable code must originate from a trusted, controlled source.

Locate the untrusted code inclusion in your application

  • Review the flaw details to identify the specific file, line number, and code pattern
  • Identify where untrusted code or functionality is being included (dynamic imports, exec(), eval(), third-party libraries)
  • Trace the data flow: where is the code source coming from (URL, user input, external API, package manager)
  • Determine the risk: what privileges does the included code have, what data can it access

Only use trusted, verified components (Primary Defense)

  • Download libraries from reputable sources: Use official package managers (npm, PyPI, Maven Central, NuGet), not arbitrary URLs
  • Verify integrity using cryptographic signatures: Check package signatures, verify checksums/hashes (SHA-256) of downloaded files
  • Use dependency lock files: Lock versions with package-lock.json, requirements.txt with hashes, Gemfile.lock
  • Avoid dynamic code execution: Never use exec(), eval(), Function() with untrusted data
  • Pin dependency versions: Specify exact versions (1.2.3) not ranges (^1.0.0, >=1.0.0) for critical dependencies

Apply least privilege and isolation to included functionality

  • Restrict permissions of third-party components: Use sandboxing, containerization (Docker), VMs for untrusted code
  • Isolate untrusted code: Run in separate process with limited system access, use Web Workers for browser code
  • Use Content Security Policy (CSP): Restrict script sources in web applications with strict CSP headers
  • Apply principle of least privilege: Grant minimum necessary permissions to third-party libraries

Apply additional supply chain protections

  • Remove unused or unnecessary components: Eliminate unused libraries to reduce attack surface (use dependency analysis tools)
  • Scan dependencies for known vulnerabilities: Use npm audit, Snyk, Dependabot, OWASP Dependency-Check
  • Use Subresource Integrity (SRI): Verify CDN-hosted resources with SRI hashes in <script> tags
  • Implement vendor risk assessment: Review third-party library security practices, maintenance status, CVE history

Monitor and audit third-party usage

  • Regularly review and update third-party dependencies (monthly security patching, quarterly major updates)
  • Log and alert on unexpected or unauthorized functionality (new network connections, file access, unexpected API calls)
  • Use Software Composition Analysis (SCA) tools to track dependencies and vulnerabilities
  • Monitor package manager security advisories (GitHub Security Advisories, npm security alerts)

Test the remediation thoroughly

  • Verify the specific untrusted source is no longer used
  • Test that only verified, signed components are included
  • Verify CSP headers and SRI attributes are working correctly
  • Test with dependency scanning tools to confirm no high-risk dependencies
  • Re-scan with security scanner to confirm the issue is resolved

Common Vulnerable Patterns

  • Including code from unverified or unauthenticated sources
  • Failing to validate or restrict third-party functionality

Dynamic Code Execution from Untrusted URL (Python)

# Imports code from untrusted source
exec(requests.get(untrusted_url).text)

Why this is vulnerable: Dynamically executing code fetched from external URLs allows attackers to inject arbitrary malicious code that runs with full application privileges, enabling remote code execution, data theft, system compromise, or complete application takeover without any validation or sandboxing.

Secure Patterns

Trusted Package Management (Python)

# Uses only trusted, verified libraries from vetted sources
import trusted_library  # Installed via pip from PyPI
# Verify with: pip install --require-hashes trusted_library

Why this works:

  • Restricts code imports to trusted package repositories (PyPI, npm, Maven Central) with integrity verification
  • Prevents remote code execution from arbitrary URLs or user-controlled sources
  • Uses package managers that verify cryptographic signatures and checksums
  • Avoids dynamic code execution (exec, eval) on untrusted input or network-fetched code
  • Enables dependency scanning and vulnerability monitoring through Software Bill of Materials (SBOM)

Dynamic Scan Guidance

For guidance on remediating this CWE when detected by dynamic (DAST) scanners:

Additional Resources