CWE-643 XPath Injection

What this means

SiteShadow flagged XPath being constructed from untrusted input. This is the same core risk as CWE-91, but commonly appears in "XML query/filter" helper functions where developers dynamically stitch together XPath fragments.

Why it matters

XPath injection can expose or alter XML data.

Unauthorized reads of XML-backed data (users can select nodes they shouldn't).
Logic manipulation (e.g., or 1=1-style predicate tricks in XPath).
Auth/role bypass if XPath results are trusted.

Safer examples

1) Don't concatenate predicates from user input

If you need "filters", support a small allowlisted set of fields/operators and map them to safe expressions.

2) Validate inputs to strict formats

IDs/usernames should match tight allowlists (see CWE-20 / CWE-86).

import re

if not re.fullmatch(r"[a-zA-Z0-9_-]{1,64}", user_id):
    raise ValueError("Invalid id")

3) Use parameterization/variables where supported

Many XPath engines support variables/bindings—use those instead of string concatenation (see CWE-91).

How SiteShadow detects it (high level)

Detects dynamic XPath string building and tracks untrusted sources flowing into the expression.
Prioritizes cases used for authorization, user selection, or sensitive data retrieval.

References

CWE-643: https://cwe.mitre.org/data/definitions/643.html

---

← Back to Vulnerability Library

Request access View coverage