Common Weakness Enumeration

CWE-754

Allowed-with-Review

Improper Check for Unusual or Exceptional Conditions

Abstraction: Class · Status: Incomplete

The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

909 vulnerabilities reference this CWE, most recent first.

GHSA-8F99-G2PJ-X8W3

Vulnerability from github – Published: 2024-04-26 09:30 – Updated: 2024-04-26 19:11
VLAI
Summary
Mattermost crashes web clients via a malformed custom status
Details

Mattermost versions 9.6.0, 9.5.x before 9.5.3, 9.4.x before 9.4.5, and 8.1.x before 8.1.12 fail to handle JSON parsing errors in custom status values, which allows an authenticated attacker to crash other users' web clients via a malformed custom status.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.1.11"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.1.0"
            },
            {
              "fixed": "8.1.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.4.4"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.4.0"
            },
            {
              "fixed": "9.4.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.5.2"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.5.0"
            },
            {
              "fixed": "9.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.6.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.6.0-rc1"
            },
            {
              "fixed": "9.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-4182"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-26T19:11:12Z",
    "nvd_published_at": "2024-04-26T09:15:12Z",
    "severity": "MODERATE"
  },
  "details": "Mattermost versions 9.6.0, 9.5.x before 9.5.3, 9.4.x before 9.4.5, and 8.1.x before 8.1.12 fail to handle JSON parsing errors in custom status values, which allows an authenticated attacker to crash other users\u0027 web clients via a malformed custom status.\n\n",
  "id": "GHSA-8f99-g2pj-x8w3",
  "modified": "2024-04-26T19:11:13Z",
  "published": "2024-04-26T09:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4182"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattermost/mattermost/commit/41333a0babf565453d89287549bec1e546e75ce7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattermost/mattermost/commit/6cbab0f7ece104681f73dd12c75d9f22d567125e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattermost/mattermost/commit/a99dadd80c57d376185ca06f8f70919a6f135bc6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattermost/mattermost/commit/f84f8ed65f6a5faba974426424b684635455a527"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mattermost/mattermost"
    },
    {
      "type": "WEB",
      "url": "https://mattermost.com/security-updates"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Mattermost crashes web clients via a malformed custom status"
}

GHSA-8FVR-W73F-3PRR

Vulnerability from github – Published: 2024-06-16 18:31 – Updated: 2024-08-07 21:31
VLAI
Details

irodsServerMonPerf in iRODS before 4.3.2 attempts to proceed with use of a path even if it is not a directory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-38461"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-16T16:15:09Z",
    "severity": "HIGH"
  },
  "details": "irodsServerMonPerf in iRODS before 4.3.2 attempts to proceed with use of a path even if it is not a directory.",
  "id": "GHSA-8fvr-w73f-3prr",
  "modified": "2024-08-07T21:31:43Z",
  "published": "2024-06-16T18:31:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38461"
    },
    {
      "type": "WEB",
      "url": "https://github.com/irods/irods/issues/7652"
    },
    {
      "type": "WEB",
      "url": "https://github.com/irods/irods/releases/tag/4.3.2"
    },
    {
      "type": "WEB",
      "url": "https://irods.org/2024/05/irods-4-3-2-is-released"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8G29-8XWR-QMHR

Vulnerability from github – Published: 2026-03-25 17:33 – Updated: 2026-03-25 17:33
VLAI
Summary
@grackle-ai/server JSON.parse lacks try-catch logic in its gRPC Service AdapterConfig Handling
Details

Impact

JSON.parse(env.adapterConfig) is called without error handling in three locations within the gRPC service. While the data originates from the server's own SQLite database and should always be valid JSON, database corruption, migration errors, or unexpected state could cause an unhandled exception that crashes the gRPC handler.

Additionally, the parsed result is cast as Record<string, unknown> and passed to adapter methods without property validation, creating a theoretical prototype pollution surface if the database is compromised.

Affected code: - packages/server/src/grpc-service.ts:415reconnectOrProvision handler - packages/server/src/grpc-service.ts:482stopEnvironment handler - packages/server/src/grpc-service.ts:498destroyEnvironment handler

Patches

Fix: Wrap in try-catch and return a meaningful gRPC error:

let config: Record<string, unknown>;
try {
  config = JSON.parse(env.adapterConfig) as Record<string, unknown>;
} catch {
  throw new ConnectError("Invalid adapter configuration", Code.Internal);
}

Workarounds

Ensure database integrity. Back up the SQLite database regularly.

Resources

  • CWE-754: Improper Check for Unusual or Exceptional Conditions
  • File: packages/server/src/grpc-service.ts
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.70.5"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@grackle-ai/server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.70.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-25T17:33:01Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Impact\n\n`JSON.parse(env.adapterConfig)` is called without error handling in three locations within the gRPC service. While the data originates from the server\u0027s own SQLite database and should always be valid JSON, database corruption, migration errors, or unexpected state could cause an unhandled exception that crashes the gRPC handler.\n\nAdditionally, the parsed result is cast as `Record\u003cstring, unknown\u003e` and passed to adapter methods without property validation, creating a theoretical prototype pollution surface if the database is compromised.\n\n**Affected code:**\n- `packages/server/src/grpc-service.ts:415` \u2014 `reconnectOrProvision` handler\n- `packages/server/src/grpc-service.ts:482` \u2014 `stopEnvironment` handler\n- `packages/server/src/grpc-service.ts:498` \u2014 `destroyEnvironment` handler\n\n### Patches\n\n**Fix:** Wrap in try-catch and return a meaningful gRPC error:\n```typescript\nlet config: Record\u003cstring, unknown\u003e;\ntry {\n  config = JSON.parse(env.adapterConfig) as Record\u003cstring, unknown\u003e;\n} catch {\n  throw new ConnectError(\"Invalid adapter configuration\", Code.Internal);\n}\n```\n\n### Workarounds\n\nEnsure database integrity. Back up the SQLite database regularly.\n\n### Resources\n\n- CWE-754: Improper Check for Unusual or Exceptional Conditions\n- File: `packages/server/src/grpc-service.ts`",
  "id": "GHSA-8g29-8xwr-qmhr",
  "modified": "2026-03-25T17:33:01Z",
  "published": "2026-03-25T17:33:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nick-pape/grackle/security/advisories/GHSA-8g29-8xwr-qmhr"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nick-pape/grackle"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "@grackle-ai/server JSON.parse lacks try-catch logic in its gRPC Service AdapterConfig Handling"
}

GHSA-8G4C-2Q3X-9MWX

Vulnerability from github – Published: 2025-12-16 06:30 – Updated: 2025-12-16 06:30
VLAI
Details

CHOCO TEI WATCHER mini (IB-MCT001) contains an issue with improper check for unusual or exceptional conditions. If a remote attacker sends a specially crafted request to the Video Download interface, the system may become unresponsive.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-61976"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-16T05:16:13Z",
    "severity": "HIGH"
  },
  "details": "CHOCO TEI WATCHER mini (IB-MCT001) contains an issue with improper check for unusual or exceptional conditions. If a remote attacker sends a specially crafted request to the Video Download interface, the system may become unresponsive.",
  "id": "GHSA-8g4c-2q3x-9mwx",
  "modified": "2025-12-16T06:30:19Z",
  "published": "2025-12-16T06:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61976"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/vu/JVNVU92827367"
    },
    {
      "type": "WEB",
      "url": "https://www.inaba.co.jp/files/chocomini_vulnerability_newly_identified.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-8G7V-H849-8G58

Vulnerability from github – Published: 2024-11-09 00:30 – Updated: 2024-11-12 18:30
VLAI
Details

vmir e8117 was discovered to contain a segmentation violation via the wasm_parse_block function at /src/vmir_wasm_parser.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-35421"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-08T22:15:16Z",
    "severity": "MODERATE"
  },
  "details": "vmir e8117 was discovered to contain a segmentation violation via the wasm_parse_block function at /src/vmir_wasm_parser.c.",
  "id": "GHSA-8g7v-h849-8g58",
  "modified": "2024-11-12T18:30:51Z",
  "published": "2024-11-09T00:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35421"
    },
    {
      "type": "WEB",
      "url": "https://github.com/andoma/vmir/issues/22"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/haruki3hhh/318c4e35531f9e3b01df51016ac5c12b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8HGV-2X29-2PRX

Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-05-24 19:03
VLAI
Details

Improper Check for Unusual or Exceptional Conditions vulnerability exists in Triconex Model 3009 MP installed on Tricon V11.3.x systems that could cause module reset when TCM receives malformed TriStation packets while the write-protect keyswitch is in the program position. This CVE ID is unique from CVE-2021-22742, CVE-2021-22744, CVE-2021-22745, and CVE-2021-22747.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-22746"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-26T20:15:00Z",
    "severity": "LOW"
  },
  "details": "Improper Check for Unusual or Exceptional Conditions vulnerability exists in Triconex Model 3009 MP installed on Tricon V11.3.x systems that could cause module reset when TCM receives malformed TriStation packets while the write-protect keyswitch is in the program position. This CVE ID is unique from CVE-2021-22742, CVE-2021-22744, CVE-2021-22745, and CVE-2021-22747.",
  "id": "GHSA-8hgv-2x29-2prx",
  "modified": "2022-05-24T19:03:16Z",
  "published": "2022-05-24T19:03:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22746"
    },
    {
      "type": "WEB",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-130-03"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-8HVJ-G8H8-46HP

Vulnerability from github – Published: 2026-02-10 18:30 – Updated: 2026-02-10 18:30
VLAI
Details

Improper conditions check in some firmware for some Intel(R) NPU Drivers within Ring 1: Device Drivers may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-32735"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-10T17:16:17Z",
    "severity": "MODERATE"
  },
  "details": "Improper conditions check in some firmware for some Intel(R) NPU Drivers within Ring 1: Device Drivers may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.",
  "id": "GHSA-8hvj-g8h8-46hp",
  "modified": "2026-02-10T18:30:40Z",
  "published": "2026-02-10T18:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32735"
    },
    {
      "type": "WEB",
      "url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01403.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-8HW7-7F8R-5QCM

Vulnerability from github – Published: 2023-06-16 18:30 – Updated: 2024-04-04 04:55
VLAI
Details

A lack of exception handling in the Volkswagen Discover Media Infotainment System Software Version 0876 allows attackers to cause a Denial of Service (DoS) via supplying crafted media files when connecting a device to the vehicle's USB plug and play feature.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-34733"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-16T17:15:12Z",
    "severity": "MODERATE"
  },
  "details": "A lack of exception handling in the Volkswagen Discover Media Infotainment System Software Version 0876 allows attackers to cause a Denial of Service (DoS) via supplying crafted media files when connecting a device to the vehicle\u0027s USB plug and play feature.",
  "id": "GHSA-8hw7-7f8r-5qcm",
  "modified": "2024-04-04T04:55:09Z",
  "published": "2023-06-16T18:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34733"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zj3t/Automotive-vulnerabilities/tree/main/VW/jetta2021"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8J33-P3G4-9J74

Vulnerability from github – Published: 2022-08-17 00:00 – Updated: 2022-08-19 00:00
VLAI
Details

SWFMill commit 53d7690 was discovered to contain a segmentation violation via SWF::DeclareFunction2::write(SWF::Writer, SWF::Context).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-36140"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-16T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "SWFMill commit 53d7690 was discovered to contain a segmentation violation via SWF::DeclareFunction2::write(SWF::Writer*, SWF::Context*).",
  "id": "GHSA-8j33-p3g4-9j74",
  "modified": "2022-08-19T00:00:23Z",
  "published": "2022-08-17T00:00:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36140"
    },
    {
      "type": "WEB",
      "url": "https://github.com/djcsdy/swfmill/issues/57"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8J5H-CXPP-7G62

Vulnerability from github – Published: 2025-04-19 21:30 – Updated: 2025-04-19 21:30
VLAI
Details

7-Zip through 24.09 does not report an error for certain invalid xz files, involving stream flags and reserved bits.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-47112"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-19T21:15:45Z",
    "severity": "LOW"
  },
  "details": "7-Zip through 24.09 does not report an error for certain invalid xz files, involving stream flags and reserved bits.",
  "id": "GHSA-8j5h-cxpp-7g62",
  "modified": "2025-04-19T21:30:28Z",
  "published": "2025-04-19T21:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47112"
    },
    {
      "type": "WEB",
      "url": "https://github.com/boofish/semantic-bugs"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-3
Requirements

Strategy: Language Selection

  • Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • Choose languages with features such as exception handling that force the programmer to anticipate unusual conditions that may generate exceptions. Custom exceptions may need to be developed to handle unusual business-logic conditions. Be careful not to pass sensitive exceptions back to the user (CWE-209, CWE-248).
Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is expected.

Mitigation
Implementation

If using exception handling, catch and throw specific exceptions instead of overly-general exceptions (CWE-396, CWE-397). Catch and handle exceptions as locally as possible so that exceptions do not propagate too far up the call stack (CWE-705). Avoid unchecked or uncaught exceptions where feasible (CWE-248).

Mitigation MIT-39
Implementation
  • Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
  • If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
  • Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
  • Exposing additional information to a potential attacker in the context of an exceptional condition can help the attacker determine what attack vectors are most likely to succeed beyond DoS.
Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-38
Architecture and Design Implementation

If the program must fail, ensure that it fails gracefully (fails closed). There may be a temptation to simply let the program fail poorly in cases such as low memory conditions, but an attacker may be able to assert control before the software has fully exited. Alternately, an uncontrolled failure could cause cascading problems with other downstream components; for example, the program could send a signal to a downstream process so the process immediately knows that a problem has occurred and has a better chance of recovery.

Mitigation
Architecture and Design

Use system limits, which should help to prevent resource exhaustion. However, the product should still handle low resource conditions since they may still occur.

No CAPEC attack patterns related to this CWE.