CWE-610: Externally Controlled Reference to a Resource in Another Sphere
The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
Last updated
Overview
CWE-610 (Externally Controlled Reference to a Resource in Another Sphere) is a class-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Real-world CVEs
68 recorded CVEs are caused by CWE-610 (Externally Controlled Reference to a Resource in Another Sphere), including 1 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 14 new CWE-610 CVEs have been recorded so far in 2026 (14 in 2025).
- CVE-2022-27593CISA KEV
DeadBolt Ransomware
Critical · CVSS 9.3 · EPSS 100th2022-09-08 - CVE-2017-16088Critical · CVSS 10.0 · EPSS 88th2018-06-07
- CVE-2022-39206Critical · CVSS 9.9 · EPSS 75th2022-09-13
- CVE-2024-42168Critical · CVSS 9.4 · EPSS 29th2025-01-11
- CVE-2026-47358Critical · CVSS 9.3 · EPSS 38th2026-05-19
- CVE-2026-47357Critical · CVSS 9.3 · EPSS 38th2026-05-19
- CVE-2024-32980
Spin contains a potential network sandbox escape for specifically configured Spin applications
Critical · CVSS 9.1 · EPSS 39th2024-05-08 - CVE-2021-41244Critical · CVSS 9.1 · EPSS 85th2021-11-15
- CVE-2025-22144
Account Takeover in NamelessMC
Critical · CVSS 9.0 · EPSS 51th2025-01-13 - CVE-2021-27648Critical · CVSS 9.0 · EPSS 85th2021-04-28
- CVE-2026-57301High · CVSS 8.8 · EPSS 34th2026-06-24
- CVE-2024-24760High · CVSS 8.8 · EPSS 55th2024-02-02
Showing 12 of 68 recorded CWE-610 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-610 vulnerabilitiesCommon consequences
What can happen when CWE-610 is exploited.
Read Application Data, Modify Application Data
Affects: Confidentiality, Integrity
An adversary could read or modify data, depending on how the resource is intended to be used.
Gain Privileges or Assume Identity
Affects: Access Control
An adversary that can supply a reference to an unintended resource can potentially access a resource that they do not have privileges for, thus bypassing existing access control mechanisms.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
The following code is a Java servlet that will receive a GET request with a url parameter in the request to redirect the browser to the address specified in the url parameter. The servlet will retrieve the url parameter value from the request and send a response to redirect the browser to the url address.
Vulnerable example
public class RedirectServlet extends HttpServlet {Attack input
<a href="http://bank.example.com/redirect?url=http://attacker.example.net">Click here to log in</a>Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2022-3032 — An email client does not block loading of remote objects in a nested document.
- CVE-2022-45918 — Chain: a learning management tool debugger uses external input to locate previous session logs (CWE-73) and does not properly validate the given path (CWE-20), allowing for filesystem path traversal using "../" sequences (CWE-24)
- CVE-2018-1000613 — Cryptography API uses unsafe reflection when deserializing a private key
- CVE-2020-11053 — Chain: Go-based Oauth2 reverse proxy can send the authenticated user to another site at the end of the authentication flow. A redirect URL with HTML-encoded whitespace characters can bypass the validation (CWE-1289) to redirect to a malicious site (CWE-601)
- CVE-2022-42745 — Recruiter software allows reading arbitrary files using XXE
- CVE-2004-2331 — Database system allows attackers to bypass sandbox restrictions by using the Reflection API.
Attack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-610.
- What is CWE-610?
- The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
- What CVEs are caused by CWE-610?
- 68 recorded CVEs are attributed to CWE-610, including CVE-2022-27593, CVE-2017-16088, CVE-2022-39206. 1 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- What are the consequences of CWE-610?
- Exploiting CWE-610 can lead to: Read Application Data, Modify Application Data, Gain Privileges or Assume Identity.
- Is CWE-610 actively exploited?
- Yes. 1 CWE-610 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 68 recorded CVEs.
References
- MITRE CWE definition (CWE-610) (opens in a new tab)
- CWE-610 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-610
Get alerted the moment a new CWE-610 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.