CWE WEAKNESSES / CWE-89
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Base EXPLOIT LIKELIHOOD: HIGH
What it is
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Impact
| Confidentiality, Integrity, Availability | Execute Unauthorized Code or Commands |
| Confidentiality | Read Application Data |
| Authentication | Gain Privileges or Assume Identity, Bypass Protection Mechanism |
| Access Control | Bypass Protection Mechanism |
| Integrity | Modify Application Data |
Mitigations
- [Architecture and Design]Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].For example, consider using persistence layers such as Hibernate or Enterprise Java Beans, which can provide significant protection against SQL injection if used properly.
- [Architecture and Design]If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.Process SQL queries using prepared statements, parameterized queries, or stored proc
- [Architecture and Design, Operation]Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database
- [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
- [Implementation]While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or wh
- [Implementation]Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.When performing input validation, consider all potentially relevant properties, including length, type of input, the full r
- [Architecture and Design] When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
- [Implementation]Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine
Real-world CVE examples
- CVE-2024-6847 — SQL injection in AI chatbot via a conversation message
- CVE-2025-26794 — SQL injection in e-mail agent through SQLite integration
- CVE-2023-32530 — SQL injection in security product dashboard using crafted certificate fields
- CVE-2021-42258 — SQL injection in time and billing software, as exploited in the wild per CISA KEV.
- CVE-2021-27101 — SQL injection in file-transfer system via a crafted Host header, as exploited in the wild per CISA KEV.
- CVE-2020-12271 — SQL injection in firewall product's admin interface or user portal, as exploited in the wild per CISA KEV.
- CVE-2019-3792 — An automation system written in Go contains an API that is vulnerable to SQL injection allowing the attacker to read privileged data.
- CVE-2004-0366 — chain: SQL injection in library intended for database authentication allows SQL injection and authentication bypass.
- CVE-2008-2790 — SQL injection through an ID that was supposed to be numeric.
- CVE-2008-2223 — SQL injection through an ID that was supposed to be numeric.
- CVE-2007-6602 — SQL injection via user name.
- CVE-2008-5817 — SQL injection via user name or password fields.
Related weaknesses
Test & detect
Browse all common weaknesses, check related exploited CVEs, or map to ATT&CK techniques.
Source: MITRE CWE. View on cwe.mitre.org →