CWE-129 Improper Validation of Array Index

What this means

SiteShadow flagged an array/list index derived from untrusted input being used without bounds checks. In safe languages this often "just" throws, but repeated crashes can become denial of service; in native contexts it can become memory corruption.

Why it matters

Invalid indices can cause crashes or data leakage.

• DoS via crashes: attackers send out-of-range indices to trigger exceptions repeatedly.
• Data exposure: the wrong index can access a record that shouldn't be reachable (logic bug / IDOR-like patterns).
• In lower-level contexts, out-of-bounds access can lead to memory safety issues.

Safer examples

1) Validate index ranges before access (Python)

idx = int(user_input)
if idx < 0 or idx >= len(items):
    raise ValueError("Invalid index")
item = items[idx]

2) Prefer IDs over positional indices (recommended)

Accept an object ID and look it up with authorization, rather than letting users pick array positions (see CWE-286).

3) Fail closed and handle errors safely

Return 400 on invalid indexes; don't leak internal stack traces (see E01).

How SiteShadow detects it (high level)

• Detects array indexing where the index comes from request/user input.
• Flags missing bounds checks and cases where the index influences sensitive selections.

References

• CWE-129: https://cwe.mitre.org/data/definitions/129.html

---

← Back to Vulnerability Library