The product is released with debugging code still enabled or active.

What CVEs are caused by CWE-489?

72 recorded CVEs are attributed to CWE-489, including CVE-2023-4804, CVE-2021-40419, CVE-2022-25995.

Is CWE-489 part of the OWASP Top 10?

CWE-489 maps to OWASP Top Ten 2004: Insecure Configuration Management (A10) in the OWASP security taxonomy.

How do you prevent CWE-489?

Remove debug code before deploying the application.

How is CWE-489 detected?

Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

What are the consequences of CWE-489?

Exploiting CWE-489 can lead to: Bypass Protection Mechanism, Read Application Data, Gain Privileges or Assume Identity, Varies by Context.

Is CWE-489 actively exploited?

72 recorded CVEs are caused by CWE-489; none are currently in CISA's KEV catalog of actively exploited flaws.

CWE-489: Active Debug Code (Leftover debug code)

72 recorded CVEs are caused by CWE-489 (Active Debug Code). The highest-severity and most recent are shown first. 5 new CWE-489 CVEs have been recorded so far in 2026 (15 in 2025).

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

Debug code can be used to bypass authentication. For example, suppose an application has a login script that receives a username and a password. Assume also that a third, optional, parameter, called "debug", is interpreted by the script as requesting a switch to debug mode, and that when this parameter is given the username and password are not checked. In such a case, it is very simple to bypass the authentication process if the special behavior of the application regarding the debug parameter is known. In a case where the form is:

Vulnerable example

xml

<FORM ACTION="/authenticate_login.cgi">

Example

plaintext

http://TARGET/authenticate_login.cgi?username=...&password=...

Attack input

plaintext

http://TARGET/authenticate_login.cgi?username=&password=&debug=1

CWE-489: Active Debug Code

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Terminology & mappings

Alternate terms

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-489?

What CVEs are caused by CWE-489?

Is CWE-489 part of the OWASP Top 10?

How do you prevent CWE-489?

How is CWE-489 detected?

What are the consequences of CWE-489?

Is CWE-489 actively exploited?

References

Stay ahead of CWE-489

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Related weaknesses

Parent

Child

Can precede

Terminology & mappings

Alternate terms

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-489?

What CVEs are caused by CWE-489?

Is CWE-489 part of the OWASP Top 10?

How do you prevent CWE-489?

How is CWE-489 detected?

What are the consequences of CWE-489?

Is CWE-489 actively exploited?

References

Stay ahead of CWE-489