CWE — Common Weakness Enumeration
CWE (Common Weakness Enumeration) is a catalog of software and hardware weakness types maintained by MITRE. Where CVEs are specific vulnerabilities in specific products, CWEs are the categories of weakness that lead to those vulnerabilities. CWE-79 is Cross-Site Scripting, CWE-89 is SQL Injection, CWE-502 is Deserialization of Untrusted Data. A CVE will often reference the CWE that explains why the vulnerability exists.
CWE vs CVE — what's the difference
Think of CWEs as the root causes and CVEs as the instances. CWE-502 (Deserialization of Untrusted Data) is the weakness category. CVE-2021-44228 (Log4Shell) is a specific instance of that weakness in Apache Log4j.
CVEs describe what happened. CWEs describe why it happened and how to prevent the whole class of issue.
The most important CWEs for dependency security
- CWE-502 — Deserialization of Untrusted Data (Log4Shell, SnakeYAML, PyYAML)
- CWE-1321 — Prototype Pollution (lodash, qs, minimist)
- CWE-400 — Uncontrolled Resource Consumption (ReDoS — moment, semver)
- CWE-22 — Path Traversal (Flysystem, CarrierWave, Sprockets)
- CWE-89 — SQL Injection (Ransack, Hibernate, activerecord)
- CWE-79 — Cross-Site Scripting (many web framework CVEs)
- CWE-601 — URL Redirection (open redirect CVEs in axios, express)
Paste your manifest — get a fixed version with all CVEs patched in seconds.
Open PackageFix →Free · No signup · No CLI · Runs in your browser