SYM_GO_0012 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
The code uses user-supplied input to dynamically select methods or fields via reflect.MethodByName or reflect.FieldByName in Go. This allows external input to control which function or field is accessed at runtime, which is unsafe.
Impact
An attacker could manipulate input to invoke unintended methods or access sensitive fields, potentially bypassing authentication or authorization checks. This can lead to unauthorized actions, data leaks, or unexpected application behavior.