CWE-606 Unchecked Input for Loop Condition

Description

Unchecked Input for Loop Condition

Reference: https://cwe.mitre.org/data/definitions/606.html

OWASP Category: A03:2021 – Injection

---

Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

// VULNERABLE: User controls loop iterations
int count = Integer.parseInt(request.getParameter("count"));
for (int i = 0; i < count; i++) {
    processItem(i);  // DoS if count is MAX_INT
}

// VULNERABLE: Sleep duration from user
int sleepMs = Integer.parseInt(request.getParameter("delay"));
Thread.sleep(sleepMs);  // DoS if delay is very large

Why it's vulnerable: This pattern is vulnerable to Unchecked Input for Loop Condition

---

Deterministic Fix

✅ Secure Implementation: Secure Implementation

// SECURE: Enforce maximum limits
private static final int MAX_ITERATIONS = 1000;
private static final int MAX_SLEEP_MS = 5000;

int count = Integer.parseInt(request.getParameter("count"));
if (count < 0 || count > MAX_ITERATIONS) {
    throw new IllegalArgumentException("Count must be 0-" + MAX_ITERATIONS);
}
for (int i = 0; i < count; i++) {
    processItem(i);
}

// For sleep operations
int sleepMs = Integer.parseInt(request.getParameter("delay"));
sleepMs = Math.min(Math.max(sleepMs, 0), MAX_SLEEP_MS);
Thread.sleep(sleepMs);

Why it's secure: Implements proper protection against Unchecked Input for Loop Condition

---

Detection Pattern

Look for these patterns in your codebase:

# Find loops with parsed input
grep -rn "for.*parseInt\|while.*getParameter" --include="*.java"

# Find Thread.sleep with user input
grep -rn "Thread.sleep" --include="*.java" -B5 | grep "getParameter"

---

Remediation Steps

1. Define MAX constant for all user-controlled loops

2. Validate input is within acceptable range

3. Use Math.min() to cap values at maximum

4. Log attempts to exceed limits for monitoring

---

Key Imports

---

Verification

After remediation:

• Run SAST scanner to confirm vulnerability is resolved

• Review all instances of the vulnerable pattern

• Add unit tests that verify the secure implementation

• Check for similar patterns in related code

---

Trigger Examples

Fix CWE-606 vulnerability
Resolve Unchecked Input for Loop Condition issue
Secure this Java code against unchecked input for loop condition
SAST reports CWE-606

---

Common Vulnerable Locations

Layer	Files	Patterns

| Controller | *Controller.java | User input handling |

| Service | *Service.java | Business logic |

| Repository | *Repository.java | Data access |

---

References

• CWE-606: Unchecked Loop Condition

---

Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07