- What is CWE-602?
- The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.
- What CVEs are caused by CWE-602?
- 137 recorded CVEs are attributed to CWE-602, including CVE-2026-42160, CVE-2026-23478, CVE-2025-51682.
- Is CWE-602 part of the OWASP Top 10?
- CWE-602 maps to OWASP Top Ten 2004: Unvalidated Input (A1) in the OWASP security taxonomy.
- How do you prevent CWE-602?
- For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
- How is CWE-602 detected?
- Fuzzing: Use dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
- What are the consequences of CWE-602?
- Exploiting CWE-602 can lead to: Bypass Protection Mechanism, DoS: Crash, Exit, or Restart, Gain Privileges or Assume Identity.
- Is CWE-602 actively exploited?
- 137 recorded CVEs are caused by CWE-602; none are currently in CISA's KEV catalog of actively exploited flaws.