CWE-166: Improper Handling of Missing Special Element
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product receives input from an upstream component, but it does not handle or incorrectly handles when an expected special element is missing.
常见后果
影响范围: Availability
技术影响: DoS: Crash, Exit, or Restart
潜在缓解措施
描述: Developers should anticipate that special elements will be removed in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.
阶段: Implementation
策略: Input Validation
阶段: Implementation
策略: Input Validation
描述: Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
观察示例
参考: CVE-2002-1362
Crash via message type without separator character
参考: CVE-2002-0729
Missing special character (separator) causes crash
参考: CVE-2002-1532
HTTP GET without \r\n\r\n CRLF sequences causes product to wait indefinitely and prevents other users from accessing it
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | Missing Special Element | - |