Data Validation Issues

A category in the Common Weakness Enumeration published by The MITRE Corporation.


Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.

Weaknesses in this category are related to a software system's components for input validation, output validation, or other kinds of validation. Validation is a frequently-used technique for ensuring that data conforms to expectations before it is further processed as input or output. There are many varieties of validation (see CWE-20, which is just for input validation). Validation is distinct from other techniques that attempt to modify data before processing it, although developers may consider all attempts to product "safe" inputs or outputs as some kind of validation. Regardless, validation is a powerful tool that is often used to minimize malformed data from entering the system, or indirectly avoid code injection or other potentially-malicious patterns when generating output. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed.


Improper Restriction of Names for Files and Other Resources

The product constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting name.

Improper Use of Validation Framework

The product does not use, or incorrectly uses, an input validation framework that is provided by the source language or an independent library.

Improper Validation of Array Index

The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index ref...

Incomplete List of Disallowed Inputs

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other actio...

Incorrect Behavior Order: Early Validation

The product validates input before applying protection mechanisms that modify the input, which could allow an attacker to bypass the validation via dangerous inputs th...

Missing XML Validation

The product accepts XML from an untrusted source but does not validate the XML against the proper schema.

Permissive List of Allowed Inputs

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are as...

Unchecked Input for Loop Condition

The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive loo...


Software Development

This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development l...

Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.