CWE-829

The product imports or includes a library, script, or resource from an untrusted source or in an untrusted environment....

Verified by Precogs Threat Research
BASE SCORE
7.5 CRITICAL

Precogs AI Insight

"Precogs AI identifies dependency confusion, typosquatting, and untrusted package inclusion across software supply chains."

EXPLOIT PROBABILITYHigh
PUBLIC POCAvailable

What is CWE-829 (Inclusion of Functionality from Untrusted Control Sphere)?

The product imports or includes a library, script, or resource from an untrusted source or in an untrusted environment.

Vulnerability Insights

Inclusion of Functionality from Untrusted Control Sphere (CWE-829) represents a significant security risk across modern software systems. This weakness enables attackers to exploit supply chain flaws in applications, potentially leading to unauthorized access, data exfiltration, or remote code execution. Organizations must implement defense-in-depth strategies combining static analysis, runtime monitoring, and binary analysis to detect and mitigate these vulnerabilities.

Impact on Systems

  • Compromise of Application Integrity: Predictable execution flow is disrupted
  • Potential Data Exposure: Depending on context, sensitive configurations may leak
  • Availability Risks: Unexpected states leading to temporary denial of service

Real-World Attack Scenario

An attacker probes the system interfaces to identify areas where the input or state related to Inclusion of Functionality from Untrusted Control Sphere is improperly handled. Once identified, they craft a payload tailored to the specific backend architecture. By exploiting the lack of robust structural validation, the attacker is able to force the application into an unintended state, bypassing standard business logic and achieving unauthorized outcomes.

Code Examples

Vulnerable Implementation

// VULNERABLE: Unvalidated input leading to Inclusion of Functionality from Untrusted Control Sphere
function processInput(data) {
    // Missing strict validation or sanitization
    executeOrStoreConfig(data);
}

Secure Alternative

// SECURE: Proper validation mitigating Inclusion of Functionality from Untrusted Control Sphere
function processInput(data) {
    if (!isValid(data)) throw new Error('Invalid input');
    const safeData = sanitize(data);
    executeOrStoreConfig(safeData);
}

Detection with Precogs AI

Precogs AI identifies dependency confusion, typosquatting, and untrusted package inclusion across software supply chains. Our binary analysis engine examines compiled artifacts without requiring source code access, identifying CWE-829 patterns in vendor software, containers, firmware, and third-party libraries.

Remediation

Implement proper supply chain controls following secure coding guidelines. Use automated scanning tools like Precogs AI to continuously monitor for CWE-829 vulnerabilities across your software supply chain. Apply the principle of least privilege and validate all inputs from untrusted sources.

CVEs Classified Under CWE-8296 vulnerabilities

The following CVEs have been classified under CWE-829 (Inclusion of Functionality from Untrusted Control Sphere). Each CVE represents a specific vulnerability instance of this weakness type.

CVE-2025-61592[cursor] Arbitrary code execution Permissive CLI Config in Cursor CLI
CVSS 8HIGHOct 2, 2025
CVE-2025-54135[cursor] Arbitrary code execution from Cursor Agent through a prompt injection via MCP Special Files
CVSS 8HIGHAug 2, 2025
CVE-2026-4295Improper trust boundary enforcement in Kiro IDE before version 0
CVSS 7.8HIGHMar 17, 2026
CVE-2026-22217OpenClaw version 2026
CVSS 5.3MEDIUMMar 18, 2026
CVE-2026-33075FastGPT is an AI Agent building platform
CVSS 0UNKNOWNMar 20, 2026
CVE-2026-4255A DLL search order hijacking vulnerability in Thermalright TR-VISION HOME on Windows (64-bit) allows a local attacker to escalate privileges via DLL side-loading
CVSS 0UNKNOWNMar 16, 2026

Supplemental Intelligence & References

📋 OWASP Top 10

📖 Security Guides

🔗 External References