This warning is reported in situations when one object can be cast to another object with the possibility of lost data or even program failure.

Vulnerability and risk

Either data may be lost, or the program may fail. This can happen when a program tries to access a nonexistent class field after a cast.


  public class Object1 : Object2 {
     public int a;
  public class Object2 {
     public int b;
  public class ClassCastTests {
     public void foo() {
        Object1 o1;
       Object2 o2 = new Object2();
       if (flag)
           o1 = (Object1)o2;
    private bool flag;

Object o1 of class Object1 and object o2 of class Object2 are declared on lines 9-10. Then, on line 12, Object2 can be cast to Object1, depending on flag on line 11, which is invalid.

Security training

Application security training materials provided by Secure Code Warrior.