The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin.

What CVEs are caused by CWE-940?

44 recorded CVEs are attributed to CWE-940, including CVE-2025-61932, CVE-2023-41094, CVE-2024-38886. 1 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

How do you prevent CWE-940?

Use a mechanism that can validate the identity of the source, such as a certificate, and validate the integrity of data to ensure that it cannot be modified in transit using an Adversary-in-the-Middle (AITM) attack.

What are the consequences of CWE-940?

Exploiting CWE-940 can lead to: Gain Privileges or Assume Identity, Varies by Context, Bypass Protection Mechanism.

Is CWE-940 actively exploited?

Yes. 1 CWE-940 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 44 recorded CVEs.

CWE-940: Improper Verification of Source of a Communication Channel

CVE-2024-40515

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

This Android application will remove a user account when it receives an intent to do so:

Vulnerable example

java

IntentFilter filter = new IntentFilter("com.example.RemoveUser");

This application does not check the origin of the intent, thus allowing any malicious application to remove a user. Always check the origin of an intent, or create an allowlist of trusted applications using the manifest.xml file.

These Android and iOS applications intercept URL loading within a WebView and perform special actions if a particular URL scheme is used, thus allowing the Javascript within the WebView to communicate with the application:

Vulnerable example

java

// Android

Vulnerable example

objectivec

// iOS

Attack input

javascript

window.location = examplescheme://method?parameter=value

CWE-940: Improper Verification of Source of a Communication Channel

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

Code examples

Illustrative examples

Attack patterns

Frequently asked questions

What is CWE-940?

What CVEs are caused by CWE-940?

How do you prevent CWE-940?

What are the consequences of CWE-940?

Is CWE-940 actively exploited?

References

Stay ahead of CWE-940

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

Code examples

Illustrative examples

Related weaknesses

Parent

Child

Attack patterns

Frequently asked questions

What is CWE-940?

What CVEs are caused by CWE-940?

How do you prevent CWE-940?

What are the consequences of CWE-940?

Is CWE-940 actively exploited?

References

Stay ahead of CWE-940