Behavioral Problems

A category in the Common Weakness Enumeration published by The MITRE Corporation.


Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.

Weaknesses in this category are related to unexpected behaviors from code that an application uses.


Behavioral Change in New Version or Environment

A's behavior or functionality changes with a new version of A, or a new environment, which is not known (or manageable) by B.

Comparison Using Wrong Factors

The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect resu...

Compiler Optimization Removal or Modification of Security-critical Code

The developer builds a security-critical protection mechanism into the software, but the compiler optimizes the program such that the mechanism is removed or modified.

Execution After Redirect (EAR)

The web application sends a redirect to another location, but instead of exiting, it executes additional code.

Expected Behavior Violation

A feature, API, or function does not perform according to its specification.

Improper Enforcement of a Single, Unique Action

The product requires that an actor should only be able to perform an action once, or to have only one unique action, but the product does not enforce or improperly enf...

Improper Enforcement of Behavioral Workflow

The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in ...

Incomplete Model of Endpoint Features

A product acts as an intermediary or monitor between two or more endpoints, but it does not have a complete model of an endpoint's features, behaviors, or state, poten...

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but i...

Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.

Incorrect Behavior Order: Early Amplification

The product allows an entity to perform a legitimate but expensive operation before authentication or authorization has taken place.

Incorrect Behavior Order: Early Validation

The product validates input before applying protection mechanisms that modify the input, which could allow an attacker to bypass the validation via dangerous inputs th...

Incorrect Block Delimitation

The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error.

Loop with Unreachable Exit Condition ('Infinite Loop')

The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

Misinterpretation of Input

The product misinterprets an input, whether from an attacker or another product, in a security-relevant fashion.

Omitted Break Statement in Switch

The product omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the...

Operator Precedence Logic Error

The product uses an expression in which operator precedence causes incorrect logic to be used.

Processor Optimization Removal or Modification of Security-critical Code

The developer builds a security-critical protection mechanism into the software, but the processor optimizes the execution of the program such that the mechanism is re...

Use of Incorrect Operator

The product accidentally uses the wrong operator, which changes the logic in security-relevant ways.


Software Development

This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development l...

Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.