- What is CWE-1275?
- The SameSite attribute for sensitive cookies is not set, or an insecure value is used.
- What CVEs are caused by CWE-1275?
- 16 recorded CVEs are attributed to CWE-1275, including CVE-2024-6611, CVE-2025-52628, CVE-2023-53957.
- How do you prevent CWE-1275?
- Set the SameSite attribute of a sensitive cookie to 'Lax' or 'Strict'. This instructs the browser to apply this cookie only to same-domain requests, which provides a good Defense in Depth against CSRF attacks. When the 'Lax' value is in use, cookies are also sent for top-level cross-domain navigation via HTTP GET, HEAD, OPTIONS, and TRACE methods, but not for other HTTP methods that are more like to cause side-effects of state mutation.
- How is CWE-1275 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-1275?
- Exploiting CWE-1275 can lead to: Modify Application Data.
- Is CWE-1275 actively exploited?
- 16 recorded CVEs are caused by CWE-1275; none are currently in CISA's KEV catalog of actively exploited flaws.