Base weakness

Draft

CWE-494: Download of Code Without Integrity Check

The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.

137

Recorded CVEs

With this primary weakness

KEVs

In the CISA KEV catalog

Medium

Likelihood of exploit

Per MITRE

Base

Abstraction

MITRE classification

Overview

An attacker can execute malicious code by compromising the host server, performing DNS spoofing, or modifying the code in transit.

Real-world CVEs

137 recorded CVEs are caused by CWE-494 (Download of Code Without Integrity Check), including 4 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 21 new CWE-494 CVEs have been recorded so far in 2026 (33 in 2025).

How to prevent it

Practical mitigations for CWE-494, grouped by where in the lifecycle they apply.

Implementation

Perform proper forward and reverse DNS lookups to detect DNS spoofing.

Architecture and Design

Operation

Encrypt the code with a reliable encryption scheme before transmitting.

This will only be a partial solution, since it will not detect DNS spoofing and it will not prevent your code from being modified on the hosting site.

Architecture and Design

Libraries or Frameworks

Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].

Speficially, it may be helpful to use tools or frameworks to perform integrity checking on the transmitted code.

When providing the code that is to be downloaded, such as for automatic updates of the software, then use cryptographic signatures for the code and modify the download clients to verify the signatures. Ensure that the implementation does not contain CWE-295, CWE-320, CWE-347, and related weaknesses.
Use code signing technologies such as Authenticode. See references [REF-454] [REF-455] [REF-456].

Architecture and Design

Operation

Environment Hardening

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

Architecture and Design

Operation

Sandbox or Jail

Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software.

OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations.

This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise.

Be careful to avoid CWE-243 and other weaknesses related to jails.

Effectiveness: Limited — The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail being used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed.

CWE-494: Download of Code Without Integrity Check

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

How to detect it

Manual Analysis

Black Box

Automated Static Analysis

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-494?

What CVEs are caused by CWE-494?

How do you prevent CWE-494?

How is CWE-494 detected?

What are the consequences of CWE-494?

Is CWE-494 actively exploited?

References

Stay ahead of CWE-494

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

How to detect it

Manual Analysis

Black Box

Automated Static Analysis

Code examples

Illustrative examples

Related weaknesses

Parent

Related

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-494?

What CVEs are caused by CWE-494?

How do you prevent CWE-494?

How is CWE-494 detected?

What are the consequences of CWE-494?

Is CWE-494 actively exploited?

References

Stay ahead of CWE-494