Patterns.

A component whose bug-class keeps recurring. Patches address symptoms; the design holds the primitive.

The bug class is too fundamental to the design. Patches close instances; the primitive remains.

External content feeds an interpreter that treats it as instructions. Prompt injection is one instance.

A capability is implemented by two or more parallel modules (per adapter, per runtime, per deployment target). The canonical module imports a security check from a shared utility and enforces it; a divergent module, written separately for a different environment, never imports it. Both expose the same client-facing contract; one is gated, the other is not. The CVE names the divergent module.

A header, query parameter, or environment input the framework defines as internal-IPC-only, read with security-relevant authority on every inbound network request. The "internal-only" contract is documentation, not enforcement.

The tools and credentials that authorize access to your systems are now the attack surface.

The sandbox, scanner, or SOC tool is itself the attack surface.

A security check inspects an input for a forbidden form. A downstream subsystem canonicalizes the same input (URL decoding, path-parameter stripping, Unicode normalization, escape resolution) into that forbidden form. The check sees the wrapped representation; the action sees the unwrapped one. The fix is to canonicalize before checking, never after.

The fix was in a comment. The code shipped without it. Audit your oldest TODOs.

No auth required to write a file into a path the server executes. Webroot upload, CGI drop, etc.

Vendor discloses only after active in-wild exploitation. The gap between first-seen and CVE is the story.

The privileged action of your security tool becomes the attack. Defender's hands become attacker's hands.

Security gate can't decrypt/validate a message and forwards it anyway. Logs the failure, does the action.

A library exposes sanitization as opt-in flags with unsafe defaults. A caller wiring the library's output into a sink that interprets the result as code (raw HTML, SQL, shell) accepts the unsafe defaults by reaching for the library's static or factory helper instead of constructing the instance and setting the flags. The flags exist in the library; the fix is to set them.

A PoC that ships a full weaponizer behind a 'for authorized testing only' disclaimer.

Individually safe components that compose into an attack. Nobody owns the intersection.

CSRF tokens mistaken for authentication. Valid nonce does not equal authenticated caller.

An exploit script published against an existing CVE, structured as a working exploit but with one or more critical parameters marked as placeholders the user must adjust. The author lacks the underlying primitive; the artifact attaches authorship to a CVE-shaped wrapper rather than to a working exploit. A scanner polling GitHub for CVE-named repositories registers it as "PoC available"; the script's own comments confirm the registration is wrong.

A function applies escape/quote/sanitize logic to user-controlled fields the developer perceives as security-sensitive (credentials, passwords, tokens) and omits it on a field that actually flows into the dangerous interpreter (shell, SQL, format string, eval). The mitigation logic in the same function is proof the developer understood the threat; the unsanitized field is proof they sorted by perceived field sensitivity rather than by destination.

A sanitization function is named, implemented, and documented for one interpreter (the POSIX shell, an HTML renderer, a SQL dialect) and applied uniformly to inputs that flow into a different interpreter with different parsing rules. The quote-wrap survives the named sink intact, then is fed via pipe, stdin, embedded call, or template into the actual sink, which sees a literal character the wrap was not designed to neutralise. The function's name encodes the threat model the developer was thinking about; the destination encodes the one they were not.

'We weren't breached' via a narrow reading of their own terms. Non-denial denial.

A handler given a caller-supplied identifier checks that the named resource exists and treats the existence check as the authorization decision. The identifier is enumerable; the resource carries no per-call credential. Anyone who can guess or enumerate the identifier becomes the authorized caller.

A security filter and a downstream sink each parse the same input through their own matcher. The filter's grammar is strictly contained within the sink's. Inputs the sink accepts but the filter does not match flow through unfiltered, reaching the sink that runs them. The two matchers were written to describe the same syntactic object and did not agree.

A field stored as a generic map (interface{}, JSON, dict) whose conventional name implies a constrained shape (an ID, a path, a number). The producer's contract is implicit in the name; once an API exposes write access, the consumer reads attacker input where it expected server output.

A server signs a bearer token with a key the caller provides on the request, then accepts that same caller-supplied key on verification. The signature binds only that the caller could ask for issuance, not that they held any credential.

A parser written for a "trusted" bus (CAN, internal IPC, on-prem VLAN) accepts framing fields as if the protocol's valid-range constraints were guaranteed by the medium. Sequence numbers, length fields, and indices arrive without bounds checks because the developer's threat model excludes adversaries on the wire. When the bus admits a malformed frame, the protocol-derived constant becomes the size of the overflow.

A specification, RFC, or framework convention implies that an attacker-controllable field takes one of a constrained set of values, by how the spec exercises the field elsewhere rather than by formal grammar. The implementation parses the field at its broad syntactic type and accepts everything the type permits. The implicit allowlist exists in the spec authors' heads and in downstream consumers' assumptions; the code never installed it. The patch closes the demonstrated chain by narrowing the value set against the immediate context; the set of accepted values remains whatever happens to be supported by the surrounding subsystems today.

A security token is derived by running a cryptographic hash over a low-entropy value (a timestamp, a counter, a username, an autoincrement primary key). The cryptographic strength of the hash function is treated as compensating for the predictability of the input. It does not. The hash is a deterministic function; the output's entropy is bounded by the input's entropy, regardless of how the bits are spread across the digest.

Single maintainer account gates publishes to millions. One compromise ships to every downstream.

Request-scoped middleware (auth, rate limit, RBAC) is wrapped around a handler that upgrades a single request into a long-lived connection. The middleware authenticates the handshake, then never sees the streams that follow.

A repository whose documentation describes a project layout — file names, command-line flags, release history, build instructions — that does not match what the repository contains. Each artifact is internally consistent because each was generated from a separate prompt; no artifact references the others because no prompt asked the model to make them coherent. A scanner that polls GitHub for CVE-numbered repositories registers the documentation as evidence of a PoC; the directory listing the documentation describes does not exist on disk.

A security predicate intends to test one field of a structured value (a path, a header, a claim) but is implemented against the value's stringified form. The string representation includes other attacker-controlled fields, and the substring or equality check accepts the gate's allow-string from any of them.

A periodic process that emits identical success telemetry for "I checked and there was nothing to do" and "I checked and could not determine what to do." Observers cannot tell health from breakage; risk accumulates silently.

Code composes a standard-library path-joining helper (filepath.Join, path.join, os.path.join) with a base directory and a caller-supplied path segment, reading the composition as a sandbox primitive. The helper's documented behavior is to clean `..` segments from the joined path; a caller-controlled segment with enough `..` walks the resulting absolute path outside the base. The function name and surrounding code treat the operation as scoping; the standard library defined it as normalizing. Sandboxing requires post-join verification, filepath.Rel with a prefix check or strings.HasPrefix(base + separator). Join alone provides none.

Managed file transfer products carry the payload and the trust. Now carry the breaches.

Git tags, date-labeled artifacts, the latest tag. Treated as pinned. Not.

A high-severity CVE under remediation deadline pressure attracts a throwaway GitHub account that publishes a detailed README describing an exploit. The repository contains no exploit code; the file is gated behind a no-refunds crypto paywall. The asset being sold is the defender's urgency, not a working primitive.

The window between credential compromise and detection. Every action in that window is legitimate.

Worm pattern in a package registry: infected package harvests credentials, publishes to the next.

A library accepts a security-relevant flag from its caller and overrides it inside a wrapper layer when the underlying framework's safe response to the caller's setting returns a generic fallback type. The library re-invokes the framework with the flag inverted. No log, exception, or callback informs the caller. The flag has the API surface of an enforced control and the runtime behavior of a hint.

A security check that scans the source text of code for forbidden tokens before handing the code to a dynamic interpreter. The interpreter resolves names, computes strings, traverses method dispatch, and rewrites bytecode at runtime, so any token the check forbids can be reconstructed from pieces the check never matched. The blocklist becomes documentation of the author's threat model rather than enforcement of it.

A binary compiled without the standard exploit mitigations (PIE, stack canary, FORTIFY_SOURCE, full RELRO). Every memory-safety bug becomes RCE because the build, not the source, decides exploitability.

A forwarding component copies its entire inbound structure into its outbound call by default. The component's reference documentation enumerates the configurable surface and is silent about the rest. Operators reason from the narrow description; the wide default ships their inbound credentials, cookies, and headers across the service boundary unannounced. The fix is an opt-in allowlist, and the same commit adds the documentation paragraph that finally describes the default. The wide forwarding remains the default.

An interpreter sandbox enforces a method allowlist by class and method name. One allow-listed method's return value carries data from a higher trust tier than the allowlist's grain can see. The allowlist filtered at the method level; the security boundary lives at the data level.

A coordinated multi-branch release ships a security fix on one branch and ships the unfixed code on the others. The CVE record covers all branches; the patch covered the one.

A subsystem performs fixed-size scratch writes into a destination buffer under an internal contract that it owns the memory. Another subsystem supplies that buffer with foreign-owned pages (page cache, mapped device, peer process). The contract is documentation; the legitimate scratch becomes a write primitive across a trust boundary nobody guards.

The capability the researcher didn't ship tells you what the capability is. Read what's commented out.

An API treats an empty filter argument as 'no filter applied' and returns the full set rather than the empty set or an error. A consumer that funnels attacker-controlled input into the filter without rejecting empty values converts an exact-match query into a wildcard scan.

A library exposes a subclass, callback, or hook framed in the documentation as the seam where the consumer adds security validation, while keeping the unsafe sinks inside the library and never enumerating the inputs the consumer must sanitize. The extension is positioned as the fix; using it does not close the gap.

A parser checks the outer length field that frames its iteration, then trusts each inner length field to drive writes without checking it against the same frame.

A server validates signed inbound messages against its own URL and derives that URL from client-supplied request headers. The signed 'intended for X' check becomes 'intended for whatever the client claims X is.'

A privileged process writes to a directory it never pre-created with restrictive permissions. A standard user occupies the path first as an NTFS junction. The privileged write follows the attacker's redirection.

JavaScript code uses a plain object literal `{}` as a string-keyed dictionary against attacker-controlled keys. Plain objects inherit twelve keys from `Object.prototype`; every one of them resolves to a non-undefined inherited value through bracket lookup. Names like `__proto__`, `hasOwnProperty`, and `toString` reach those values without writing anything to the prototype. The default container leaks the prototype chain. `Object.create(null)` and `Map` do not.

The attack does not steal. It makes the defender permanently blind to a class of events.

A trust check that reads shared prototype state. Attacker writes once, every object reports trusted.

A shell command, SQL query, or template string is assembled by interpolating an untrusted value between literal quote characters typed by hand into the surrounding source-language string literal (`'$var'`, `"$var"`). The author has encoded the destination's string-quoting convention as a character in the source rather than as a call to the destination's escape primitive (`escapeshellarg`, prepared-statement binding, the language's `quote()`). The character is not a function: a delimiter byte inside the interpolated value terminates the wrap and the destination's command grammar resumes from the next byte. The destination's runtime exposes a real escape primitive and the same project has used it elsewhere; the bug site reaches for a typed apostrophe instead.

Coverage reported as a fraction when only the numerator was ever the story. MFA %, EDR coverage, etc.

An existing CVE and an existing working PoC are republished by a separate author with mathematical-sounding pseudoscience added to the loop structure (Riemann zeros, "temporal" modifiers, exotic decay constants), claiming a severity upgrade the underlying bug cannot support. The added math is decorative. In many cases the headlining script does not reach the original exploit primitive because the author replaced the working network call with a print statement.

A 'race condition' that's actually deterministic. Attacker controls timing because the other side hasn't run yet.

A file upload handler validates the source filename's extension and writes the file under a destination basename the caller supplied separately. Validating one filename does not validate the other.

A dispatcher reads from a preference chain of aliased input carriers (e.g., `json` then `msg` then a raw envelope). A sanitizing gate covers one alias and not the others. The dispatcher's first-preferred carrier is the bypass, and the gate's own scope, named after the field the original PoC happened to use, is the admission.

Authorization is granted for a request-handle whose contents the attacker can replace before the grant is consumed. Polkit, OAuth, transaction caches, any framework where auth is requested for a slot and the slot's value is mutable post-request.

A signature verifier transforms an artifact through a parser, normalizer, or re-encoder before handing the result to the cryptographic check. The signature ends up attesting to the verifier's transformed form, not to the raw bytes downstream consumers act on. When the verifier's parser and a downstream consumer's parser disagree about what the raw bytes mean, the verifier's 'verified' label covers bytes nobody else sees.

A memory or data disclosure primitive whose exfiltration path passes through a destructive transform (quantization, compression, hashing, sampling). The primitive accesses the bytes; the channel sets the ceiling on what the attacker recovers, often well below the rated severity.

A privileged-action handler whose security model depends on an out-of-band confirmation step (email invite, SMS code, two-step approval) branches at runtime on whether the confirmation channel is configured. When the operator has configured the channel, the handler routes through the confirmation; when the operator has not, the handler short-circuits to direct mutation with the credential returned in the HTTP response. The caller's role and the route's middleware do not change between the branches. The route authorizes what the handler is. The runtime branch decides what the handler does.

A CVE-numbered GitHub repository whose contents are educational coursework (a class presentation, lab report, or writeup) described in prose and built with presentation frameworks rather than implemented as runnable code. The students chose the CVE as their assignment topic; the repository name carries the CVE identifier because the project's subject does. A scanner that indexes GitHub by CVE-numbered repository name registers the coursework as a published PoC; the artifact never claimed to be one.

A compile-time feature flag named with a debug convention (`_DEBUG_*`, `_IOCTL_DEBUG_*`, `_DBG_*`) gates a security-relevant capability and is unconditionally `#define`d in production headers. No `#ifdef DEBUG` or build-system mechanism enforces the convention. The vendor's release discipline is to comment the macro out before shipping; the discipline is applied to adjacent macros and not to this one. The "debug only" contract has two manifestations in the codebase, the macro's name and an inline comment admitting what it does. The runtime sees neither.

A multi-part or container-format parser handles a second occurrence of a stream-defining chunk by re-initializing its per-stream state in place. The re-init releases the first occurrence's allocations as a side effect; an outer wrapper that owns the lifecycle retains pointers to those allocations and reaches them at teardown.

A security primitive (escape, quote, prepare, encode) is applied to user input, then its inverse transform is called on the output in the same expression because the primitive's output shape does not fit the consumer's expectations. For benign input the two transforms cancel and the workaround appears to work; for any input containing a character the primitive escapes, the second call removes the escape before the dangerous interpreter sees it. The fix is in the code; the unfix is wrapped around it.

A server-side safety primitive (autoescape pragma, default-encoded template engine, framework HTML helper) correctly covers one rendering pipeline at one trust boundary. The same file or response emits a second rendering pipeline at a different trust boundary, typically client-side template-literal interpolation into innerHTML, on data that arrives by a separate channel. The primitive does not see the second pipeline because the primitive's interpreter does not run there. The developer reads the pragma as "this file is escaped" and is right about the engine the pragma names.

A patch implements a security control whose enforcement requires the same observation the bug exposes. Closing the channel would prevent the control from working, so the channel stays open by design and the mitigation rate-limits or post-processes readings of it.

An authentication helper is called at the entry of a handler and its return value bound to a local variable. The variable is used only as a label inside a log line; no if-statement branches on it. Sibling handlers in the same dispatch table call the same helper and branch on the result. The CVE names the handler where the call exists and the branch does not.

A cryptographic helper takes a key parameter, substitutes a hardcoded constant for it in the operation the function claims to perform, then concatenates the real key onto the result as raw bytes before encoding. Two errors in opposite directions compose: the key is not in the operation, and the key is in the output. Returning the value to any caller publishes the key.

A fetcher's allowlist validates the URL it loads a manifest from, not the targets the manifest declares. The fetched payload names the next destination, and the trust placed on the manifest's source does not transfer to the URLs the manifest writes.

A multi-tenant authorization check encoded as Python equality between two fields that can both legitimately be the unset sentinel (None, null, empty string). When both sides are unset, the equality returns true and the check waves the caller through. The sentinel that means "no tenant" becomes the membership of a shared default tenant, usually the largest population on the system. The fix is never raw equality, the comparison must explicitly assert that the value is non-null before allowing a match.

Two consumers read the same input buffer with different string-length conventions. A security gate uses C-string semantics and stops at the first NULL byte, validating only the prefix; a downstream sink uses length-prefixed byte-buffer semantics and consumes the NULL and everything after it. The bytes are identical. The length the two readers infer is not. The buffer the gate approved is not the buffer the sink acted on.

A flow whose security depends on the secret traveling only over a trusted side channel (email, SMS, push) is implemented by a service function that hands the same mutable object to the side-channel sender and to the in-band HTTP response. The "out of band only" promise collapses into "out of band, also in band."

A handler pins a server-derived authoritative field (the authenticated user, the tenant ID, the resource owner) at the head of an object literal, then spreads attacker-controlled JSON over the same object. JavaScript's object-literal semantics resolve colliding keys by source order; the spread always wins. The pin reads to code review as enforcement and ships as a default.

A credential parameter required by a user-creation or constructor function is given a literal placeholder value because the developer's threat model places the actual access path on a separate mechanism (unlock key, signed token, admin-only UI). The framework persists the placeholder into the same auth store as real credentials, and a globally network-reachable password endpoint accepts it from any caller. The developer's intent that the placeholder is internal is documentation, not enforcement.

A kernel object pool returns entries to a freelist without erasing them. Each caller's writes past the next caller's expected watermark persist into entries handed to subsequent unrelated callers. The cross-caller contract is that nobody reads past their own writes; the kernel does not enforce it. Combined with any bounded out-of-bounds write into a pool entry, the residue from an attacker's earlier exec becomes a persistent attacker-controlled staging area in another process's view of the pool.

A cache or dedup key derived from a fixed-length prefix of a value, on an implicit assumption that the prefix carries per-actor entropy. When the producer's encoding concentrates entropy past the prefix window (a JWT payload past the header, a URL path past the host, a salted hash past the salt), every actor's value maps to one bucket. The type signature is `str`; the entropy contract is documentation. When the producer's shape drifts, the slice goes from fingerprint to constant without warning.

An auth or authz check that fails the caller, then writes the expected value into the response body before terminating. The reject branch performs the comparison, computes the value the caller should have sent, and emits it. Often originates as a debug print added during initial development to verify the comparison works; ships because the reject branch is the path no developer re-reads.

A security fix lands in a project's mainline branch as a public commit, often with a commit message that names the bug class. The next release tag is cut weeks, months, or longer afterward. The git log carries the de-facto disclosure during the gap; package managers that resolve to release tags continue to install the unfixed code. The CVE catches up to the release, not to the fix. The gap between fix-commit date and CVE-publication date is the window in which the bug was public for anyone reading source and unmitigated for everyone running binaries.

A check intended to detect arithmetic overflow is written as a comparison against zero (`if (result < 0) throw`). The check fires when the multiplication or addition tips the value into negative territory and is silent when the high bits leave the integer cleanly and the result stays positive. The author's commit message names the threat correctly; the implementation captures one of overflow's two visible signatures and reads to code review as a comprehensive guard.

A document arrives with a cryptographic signature over an inner artifact, but the verifier extracts signatures at a pipeline stage where the inner artifact is still wrapped (encrypted, encoded, deferred-parsed). After a later stage opens the wrapper, the verifier never re-extracts. The signature exists in the document and is never in the validator's working set; the outer envelope's signature is treated as having authenticated content it never covered.

Hardware wallet / HSM / signer shows one thing, signs another. Trust boundary lives at the rendering layer.

A new ecosystem replaying every lesson the old ones learned. Same registry shape, same provenance gap.

A security-relevant configuration is validated once at process startup and never re-checked, even though the same process supports hot-reload, dynamic registration, or runtime mutation of that same configuration. The startup pass creates an assurance the runtime path does not maintain. The rail ran. The state changed. The runtime never reconciles.