{"@ID": "1284", "@Name": "Improper Validation of Specified Quantity in Input", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.", "Extended_Description": {"xhtml:p": "Specified quantities include size, length, frequency, price, rate, number of operations, time, and others. Code may rely on specified quantities to allocate resources, perform calculations, control iteration, etc."}, "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "20", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "20", "@View_ID": "1003", "@Ordinal": "Primary"}, {"@Nature": "CanPrecede", "@CWE_ID": "789", "@View_ID": "1000"}]}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Primary"}}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Often"}}, "Modes_Of_Introduction": {"Introduction": {"Phase": "Implementation", "Note": "Since quantities are often used to affect resource allocation or process financial data, they are often present in many places in the code."}}, "Common_Consequences": {"Consequence": {"Scope": ["Other", "Integrity", "Availability"], "Impact": ["Varies by Context", "DoS: Resource Consumption (CPU)", "Modify Memory", "Read Memory"], "Note": "When the quantity is not properly validated, then attackers can specify malicious quantities to cause excessive resource allocation, trigger unexpected failures, enable buffer overflows, etc."}}, "Detection_Methods": {"Detection_Method": {"@Detection_Method_ID": "DM-14", "Method": "Automated Static Analysis", "Description": "Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect \"sources\" (origins of input) with \"sinks\" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)"}}, "Potential_Mitigations": {"Mitigation": {"@Mitigation_ID": "MIT-5", "Phase": "Implementation", "Strategy": "Input Validation", "Description": {"xhtml:p": ["Assume all input is malicious. Use an \"accept known good\" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.", "When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, \"boat\" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as \"red\" or \"blue.\"", "Do not rely exclusively on looking for malicious or malformed inputs.  This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright."]}, "Effectiveness": "High"}}, "Demonstrative_Examples": {"Demonstrative_Example": [{"@Demonstrative_Example_ID": "DX-135", "Intro_Text": "This example demonstrates a shopping interaction in which the user is free to specify the quantity of items to be purchased and a total is calculated.", "Example_Code": {"@Nature": "Bad", "@Language": "Java", "xhtml:div": {"xhtml:br": [null, null, null, null, null], "#text": "...public static final double price = 20.00;int quantity = currentUser.getAttribute(\"quantity\");double total = price * quantity;chargeUser(total);..."}}, "Body_Text": "The user has no control over the price variable, however the code does not prevent a negative value from being specified for quantity. If an attacker were to provide a negative value, then the user would have their account credited instead of debited."}, {"@Demonstrative_Example_ID": "DX-136", "Intro_Text": "This example asks the user for a height and width of an m X n game board with a maximum dimension of 100 squares.", "Example_Code": {"@Nature": "Bad", "@Language": "C", "xhtml:div": {"xhtml:br": [null, null, null, null, null, null, null, null, null, null, null, null, null, null, null], "xhtml:i": "/* board dimensions */", "xhtml:div": [{"@style": "margin-left:1em;", "#text": "die(\"No integer passed: Die evil hacker!\\n\");"}, {"@style": "margin-left:1em;", "#text": "die(\"No integer passed: Die evil hacker!\\n\");"}, {"@style": "margin-left:1em;", "#text": "die(\"Value too large: Die evil hacker!\\n\");"}], "#text": "...#define MAX_DIM 100...\n                     \n                     \n                     int m,n, error;board_square_t *board;printf(\"Please specify the board height: \\n\");error = scanf(\"%d\", &m);if ( EOF == error ){}printf(\"Please specify the board width: \\n\");error = scanf(\"%d\", &n);if ( EOF == error ){}if ( m > MAX_DIM || n > MAX_DIM ) {}board = (board_square_t*) malloc( m * n * sizeof(board_square_t));..."}}, "Body_Text": "While this code checks to make sure the user cannot specify large, positive integers and consume too much memory, it does not check for negative values supplied by the user. As a result, an attacker can perform a resource consumption (CWE-400) attack against this program by specifying two, large negative values that will not overflow, resulting in a very large memory allocation (CWE-789) and possibly a system crash. Alternatively, an attacker can provide very large negative values which will cause an integer overflow (CWE-190) and unexpected behavior will follow depending on how the values are treated in the remainder of the program."}, {"@Demonstrative_Example_ID": "DX-236", "Intro_Text": "The following code is a workflow job written\n\t      using YAML. The code attempts to download pull request\n\t      artifacts, unzip from the artifact called pr.zip and\n\t      extract the value of the file NR into a variable\n\t      \"pr_number\" that will be used later in another job.  It\n\t      attempts to create a github workflow environment\n\t      variable, writing to $GITHUB_ENV. The environment\n\t      variable value is retrieved from an external\n\t      resource.", "Example_Code": [{"@Nature": "Bad", "@Language": "Other", "xhtml:br": [null, null], "xhtml:div": {"@style": "margin-left:1em;", "xhtml:br": null, "xhtml:div": {"@style": "margin-left:1em;", "xhtml:br": [null, null], "xhtml:div": {"@style": "margin-left:1em;", "xhtml:br": [null, null, null, null], "xhtml:div": [{"@style": "margin-left:1em;", "xhtml:br": null, "xhtml:div": {"@style": "margin-left:1em;", "xhtml:br": [null, null, null, null, null, null, null, null], "xhtml:div": [{"@style": "margin-left:1em;", "xhtml:br": [null, null, null], "#text": "owner: context.repo.owner,\n\t\t\t    repo: context.repo.repo,\n\t\t\t    run_id: ${{ github.event.workflow_run.id }},"}, {"@style": "margin-left:1em;", "xhtml:br": null, "#text": "return artifact.name == \"pr\""}, {"@style": "margin-left:1em;", "xhtml:br": [null, null, null, null], "#text": "owner: context.repo.owner,\n\t\t\t    repo: context.repo.repo,\n\t\t\t    artifact_id: matchPrArtifact.id,\n\t\t\t    archive_format: 'zip',"}], "#text": "var artifacts = await github.actions.listWorkflowRunArtifacts({\n\t\t\t  \n\t\t\t  });\n\t\t\t  var matchPrArtifact = artifacts.data.artifacts.filter((artifact) => {\n\t\t\t  \n\t\t\t  })[0];\n\t\t\t  var downloadPr = await github.actions.downloadArtifact({\n\t\t\t  \n\t\t\t  });\n\t\t\t  var fs = require('fs');\n\t\t\t  fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(downloadPr.data));"}, "#text": "script: |"}, {"@style": "margin-left:1em;", "xhtml:br": null, "#text": "unzip pr.zip\n\t\t\techo \"pr_number=$(cat NR)\" >> $GITHUB_ENV"}], "#text": "- name: 'Download artifact'\n\t\t      uses: actions/github-script\n\t\t      with:\n\t\t      \n\t\t      - run: |"}, "#text": "runs-on: ubuntu-latest\n\t\t    steps:"}, "#text": "deploy:"}, "#text": "name: Deploy Preview\n\t\tjobs:"}, {"@Nature": "Attack", "#text": "\\nNODE_OPTIONS=\"--experimental-modules --experiments-loader=data:text/javascript,console.log('injected code');//\""}, {"@Nature": "Good", "@Language": "Other", "#text": "The code could be modified to validate that the NR\n\t\tfile only contains a numeric value, or the code could\n\t\tretrieve the PR number from a more trusted source."}], "Body_Text": [{"xhtml:p": ["The code does not neutralize the value of the\n\t\tfile NR, e.g. by validating that NR only contains a\n\t\tnumber (CWE-1284). The NR file is attacker controlled\n\t\tbecause it originates from a pull request that produced\n\t\tpr.zip.", "The attacker could escape the existing\n\t\tpr_number and create a new variable using a \"\\n\"\n\t\t(CWE-93) followed by any environment variable to be\n\t\tadded such as:"]}, {"xhtml:p": "This would result in injecting and running\n\t\tjavascript code (CWE-94) on the workflow runner with\n\t\televated privileges."}]}, {"Intro_Text": "The following PHP code could be from a shopping cart application. It allows users to apply a discount to an item.", "Example_Code": [{"@Nature": "Bad", "@Language": "PHP", "xhtml:div": {"xhtml:br": [null, null, null, null], "#text": "$discount = $_POST['discount'];\n\t\t  $originalPrice = 100.00;\n\t\t  $finalPrice = $originalPrice - ($originalPrice * $discount / 100);\n\t\t  processPayment($finalPrice);"}}, {"@Nature": "Good", "@Language": "PHP", "xhtml:div": {"xhtml:br": [null, null, null, null, null, null, null, null, null], "xhtml:i": "// only these discounts are valid", "xhtml:div": [{"@style": "margin-left:1em;", "xhtml:br": [null, null], "#text": "http_response_code(400);\n                    exit('Invalid discount.');"}, {"@style": "margin-left:1em;", "xhtml:br": [null, null], "#text": "http_response_code(400);\n\t\t    exit('Invalid final price.');"}], "#text": "$original_price = 100.00;\n\t\t  $allowed_discounts = [0, 10, 20, 50]; \n\t\t  $discount = (int) ($_POST['discount'] ?? 0);\n\t\t  if (!in_array($discount, $allowed_discounts, true)) {\n                  \n\t\t  }\n\t\t  $final_price = $original_price - ($original_price * $discount / 100);\n\t\t  if ($final_price <= 0) {\n\t\t  \n\t\t  }\n\t\t  processPayment($final_price);"}}], "Body_Text": ["This code does not validate or restrict the discount percentage. An attacker could submit a discount value of 100, making the final price zero, or a value greater than 100, making the final price negative. Depending on how processPayment() handles zero or negative amounts, this could result in unauthorized free purchases or other payment logic flaws, such as getting money credited instead of paying.", "Notice that this new code still allows the attacker to choose the highest discount, which might be against the business logic of the application. It would be better to store the discounts in a database where they cannot be directly influenced by users, but that is outside the scope of CWE-1284."]}]}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-2025-4037", "Description": "ATM simulator does not check for negative values with deposits or withdrawals, allowing attackers to increase their balance", "Link": "https://www.cve.org/CVERecord?id=CVE-2025-4037"}, {"Reference": "CVE-2025-46687", "Description": "Chain: Javascript engine code does not perform a length check (CWE-1284) leading to integer overflow (CWE-190) causing allocation of smaller buffer than expected (CWE-131) resulting in a heap-based buffer overflow (CWE-122)", "Link": "https://www.cve.org/CVERecord?id=CVE-2025-46687"}, {"Reference": "CVE-2019-19911", "Description": "Chain: Python library does not limit the resources used to process images that specify a very large number of bands (CWE-1284), leading to excessive memory consumption (CWE-789) or an integer overflow (CWE-190).", "Link": "https://www.cve.org/CVERecord?id=CVE-2019-19911"}, {"Reference": "CVE-2008-1440", "Description": "lack of validation of length field leads to infinite loop", "Link": "https://www.cve.org/CVERecord?id=CVE-2008-1440"}, {"Reference": "CVE-2008-2374", "Description": "lack of validation of string length fields allows memory consumption or buffer over-read", "Link": "https://www.cve.org/CVERecord?id=CVE-2008-2374"}]}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Notes": {"Note": {"@Type": "Maintenance", "#text": "This entry is still under development and will continue to see updates and content improvements."}}, "Content_History": {"Submission": {"Submission_Name": "CWE Content Team", "Submission_Organization": "MITRE", "Submission_Date": "2020-06-24", "Submission_Version": "4.1", "Submission_ReleaseDate": "2020-02-24"}, "Modification": [{"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2022-10-13", "Modification_Version": "4.9", "Modification_ReleaseDate": "2022-10-13", "Modification_Comment": "updated Observed_Examples, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-09-09", "Modification_Version": "4.18", "Modification_ReleaseDate": "2025-09-09", "Modification_Comment": "updated Observed_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Modes_of_Introduction, Observed_Examples, Weakness_Ordinalities"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2026-04-30", "Modification_Version": "4.20", "Modification_ReleaseDate": "2026-04-30", "Modification_Comment": "updated Demonstrative_Examples, Observed_Examples"}], "Contribution": {"@Type": "Content", "Contribution_Name": "Affan Ahmed", "Contribution_Date": "2025-02-28", "Contribution_Version": "4.20", "Contribution_ReleaseDate": "2026-04-30", "Contribution_Comment": "Provided a demonstrative example in PHP"}}}
