CWE-1041: Use of Redundant Code
The product has multiple functions, methods, procedures, macros, etc. that contain the same code.
Last updated
Overview
CWE-1041 (Use of Redundant Code) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Common consequences
What can happen when CWE-1041 is exploited.
Reduce Maintainability
Affects: Other
This issue makes it more difficult to maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. For example, if there are two copies of the same code, the programmer might fix a weakness in one copy while forgetting to fix the same weakness in another copy.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to prevent it
Practical mitigations for CWE-1041, grouped by where in the lifecycle they apply.
Merge common functionality into a single function and then call that function from across the entire code base.
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
In the following Java example the code performs some complex math when specific test conditions are met. The math is the same in each case and the equations are repeated within the code. Unfortunately if a future change needs to be made then that change needs to be made in all locations. This opens the door to mistakes being made and the changes not being made in the same way in each instance.
Vulnerable example
public class Main {Safe example
public class Main {It is recommended to place the complex math into its own function and then call that function whenever necessary.
Terminology & mappings
Mapped taxonomies
- OMG ASCMM (ASCMM-MNT-19)
Frequently asked questions
Common questions about CWE-1041.
- What is CWE-1041?
- The product has multiple functions, methods, procedures, macros, etc. that contain the same code.
- How do you prevent CWE-1041?
- Merge common functionality into a single function and then call that function from across the entire code base.
- How is CWE-1041 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-1041?
- Exploiting CWE-1041 can lead to: Reduce Maintainability.
References
- MITRE CWE definition (CWE-1041) (opens in a new tab)
- CWE-1041 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-1041
Get alerted the moment a new CWE-1041 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.