Use of Externally-Controlled Format String
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-134: Use of Externally-Controlled Format String |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Medium |
Description#
Using user-supplied input directly as the format string in functions like sprintf, printf, or vsprintf is dangerous. This allows attackers to manipulate the format string, leading to unexpected behavior or memory access.
Impact#
An attacker could exploit this to read sensitive memory, crash the program, or execute arbitrary code, leading to data breaches or full system compromise. This vulnerability is severe and can be used to take control of the application or leak confidential information.