cwe-606-unchecked-loop-condition

star 1

Use this skill when you need to remediate CWE-606 (Unchecked Input for Loop Condition) vulnerabilities in Java code. Triggers on SAST findings, security reviews, or when fixing unchecked input for loop condition issues.

DevelopersCoffee By DevelopersCoffee schedule Updated 3/6/2026
play_arrow Run Skill in Manus View GitHub

name: cwe-606-unchecked-loop-condition description: Use this skill when you need to remediate CWE-606 (Unchecked Input for Loop Condition) vulnerabilities in Java code. Triggers on SAST findings, security reviews, or when fixing unchecked input for loop condition issues. version: 1.0.0 license: MIT tags:

  • security
  • java
  • cwe-606
  • remediation
  • sast

CWE-606 Unchecked Input for Loop Condition

Description

Unchecked Input for Loop Condition

Reference: https://cwe.mitre.org/data/definitions/606.html

OWASP Category: A03:2021 – Injection

Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

// VULNERABLE: User controls loop iterations
int count = Integer.parseInt(request.getParameter("count"));
for (int i = 0; i < count; i++) {
    processItem(i);  // DoS if count is MAX_INT
}

// VULNERABLE: Sleep duration from user
int sleepMs = Integer.parseInt(request.getParameter("delay"));
Thread.sleep(sleepMs);  // DoS if delay is very large

Why it's vulnerable: This pattern is vulnerable to Unchecked Input for Loop Condition

Deterministic Fix

✅ Secure Implementation: Secure Implementation

// SECURE: Enforce maximum limits
private static final int MAX_ITERATIONS = 1000;
private static final int MAX_SLEEP_MS = 5000;

int count = Integer.parseInt(request.getParameter("count"));
if (count < 0 || count > MAX_ITERATIONS) {
    throw new IllegalArgumentException("Count must be 0-" + MAX_ITERATIONS);
}
for (int i = 0; i < count; i++) {
    processItem(i);
}

// For sleep operations
int sleepMs = Integer.parseInt(request.getParameter("delay"));
sleepMs = Math.min(Math.max(sleepMs, 0), MAX_SLEEP_MS);
Thread.sleep(sleepMs);

Why it's secure: Implements proper protection against Unchecked Input for Loop Condition

Detection Pattern

Look for these patterns in your codebase:

# Find loops with parsed input
grep -rn "for.*parseInt\|while.*getParameter" --include="*.java"

# Find Thread.sleep with user input
grep -rn "Thread.sleep" --include="*.java" -B5 | grep "getParameter"

Remediation Steps

  1. Define MAX constant for all user-controlled loops

  2. Validate input is within acceptable range

  3. Use Math.min() to cap values at maximum

  4. Log attempts to exceed limits for monitoring

Key Imports

Verification

After remediation:

  • Run SAST scanner to confirm vulnerability is resolved

  • Review all instances of the vulnerable pattern

  • Add unit tests that verify the secure implementation

  • Check for similar patterns in related code

Trigger Examples

Fix CWE-606 vulnerability
Resolve Unchecked Input for Loop Condition issue
Secure this Java code against unchecked input for loop condition
SAST reports CWE-606

Common Vulnerable Locations

Layer Files Patterns

| Controller | *Controller.java | User input handling |

| Service | *Service.java | Business logic |

| Repository | *Repository.java | Data access |

References

Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07

Install via CLI
npx skills add https://github.com/DevelopersCoffee/java-cwe-security-skills --skill cwe-606-unchecked-loop-condition
Repository Details
star Stars 1
call_split Forks 0
navigation Branch main
article Path SKILL.md
More from Creator
DevelopersCoffee
DevelopersCoffee Explore all skills →