Common Weakness Enumeration

CWE-1284

Allowed

Improper Validation of Specified Quantity in Input

Abstraction: Base · Status: Incomplete

The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.

494 vulnerabilities reference this CWE, most recent first.

GHSA-2VF6-7R77-GGP5

Vulnerability from github – Published: 2026-01-31 00:30 – Updated: 2026-01-31 00:30
VLAI
Details

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-36424"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1284"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-30T22:15:55Z",
    "severity": "MODERATE"
  },
  "details": "IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic.",
  "id": "GHSA-2vf6-7r77-ggp5",
  "modified": "2026-01-31T00:30:28Z",
  "published": "2026-01-31T00:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36424"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7257695"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2VJV-62J5-C7H3

Vulnerability from github – Published: 2023-05-16 00:30 – Updated: 2024-04-04 04:10
VLAI
Details

In apu, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07767826; Issue ID: ALPS07767826.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-20704"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1284",
      "CWE-20"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-15T22:15:10Z",
    "severity": "MODERATE"
  },
  "details": "In apu, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07767826; Issue ID: ALPS07767826.",
  "id": "GHSA-2vjv-62j5-c7h3",
  "modified": "2024-04-04T04:10:23Z",
  "published": "2023-05-16T00:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20704"
    },
    {
      "type": "WEB",
      "url": "https://corp.mediatek.com/product-security-bulletin/May-2023"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2VV3-56QG-G2CF

Vulnerability from github – Published: 2022-05-24 22:10 – Updated: 2022-05-24 22:10
VLAI
Summary
Missing validation causes denial of service via `LSTMBlockCell`
Details

Impact

The implementation of tf.raw_ops.LSTMBlockCell does not fully validate the input arguments. This results in a CHECK-failure which can be used to trigger a denial of service attack:

import tensorflow as tf

tf.raw_ops.LSTMBlockCell( 
  x=tf.constant(0.837607, shape=[28,29], dtype=tf.float32),
  cs_prev=tf.constant(0, shape=[28,17], dtype=tf.float32),
  h_prev=tf.constant(0.592631638, shape=[28,17], dtype=tf.float32),
  w=tf.constant(0.887386262, shape=[46,68], dtype=tf.float32),
  wci=tf.constant(0, shape=[], dtype=tf.float32),
  wcf=tf.constant(0, shape=[17], dtype=tf.float32),
  wco=tf.constant(0.592631638, shape=[28,17], dtype=tf.float32),
  b=tf.constant(0.75259006, shape=[68], dtype=tf.float32),
  forget_bias=1, cell_clip=0, use_peephole=False)

The code does not validate the ranks of any of the arguments to this API call. This results in CHECK-failures when the elements of the tensor are accessed.

Patches

We have patched the issue in GitHub commit 803404044ae7a1efac48ba82d74111fce1ddb09a.

The fix will be included in TensorFlow 2.9.0. We will also cherrypick this commit on TensorFlow 2.8.1, TensorFlow 2.7.2, and TensorFlow 2.6.4, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Neophytos Christou from Secure Systems Lab at Brown University.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.6.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.7.0"
            },
            {
              "fixed": "2.7.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.8.0"
            },
            {
              "fixed": "2.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.6.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.7.0"
            },
            {
              "fixed": "2.7.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.8.0"
            },
            {
              "fixed": "2.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.6.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.7.0"
            },
            {
              "fixed": "2.7.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.8.0"
            },
            {
              "fixed": "2.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-29200"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1284",
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-05-24T22:10:01Z",
    "nvd_published_at": "2022-05-20T22:16:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nThe implementation of [`tf.raw_ops.LSTMBlockCell`](https://github.com/tensorflow/tensorflow/blob/f3b9bf4c3c0597563b289c0512e98d4ce81f886e/tensorflow/core/kernels/rnn/lstm_ops.cc) does not fully validate the input arguments. This results in a `CHECK`-failure which can be used to trigger a denial of service attack:\n\n```python\nimport tensorflow as tf\n\ntf.raw_ops.LSTMBlockCell( \n  x=tf.constant(0.837607, shape=[28,29], dtype=tf.float32),\n  cs_prev=tf.constant(0, shape=[28,17], dtype=tf.float32),\n  h_prev=tf.constant(0.592631638, shape=[28,17], dtype=tf.float32),\n  w=tf.constant(0.887386262, shape=[46,68], dtype=tf.float32),\n  wci=tf.constant(0, shape=[], dtype=tf.float32),\n  wcf=tf.constant(0, shape=[17], dtype=tf.float32),\n  wco=tf.constant(0.592631638, shape=[28,17], dtype=tf.float32),\n  b=tf.constant(0.75259006, shape=[68], dtype=tf.float32),\n  forget_bias=1, cell_clip=0, use_peephole=False)\n``` \n  \nThe code does not validate the ranks of any of the arguments to this API call. This results in `CHECK`-failures when the elements of the tensor are accessed.\n    \n### Patches\nWe have patched the issue in GitHub commit [803404044ae7a1efac48ba82d74111fce1ddb09a](https://github.com/tensorflow/tensorflow/commit/803404044ae7a1efac48ba82d74111fce1ddb09a).\n    \nThe fix will be included in TensorFlow 2.9.0. We will also cherrypick this commit on TensorFlow 2.8.1, TensorFlow 2.7.2, and TensorFlow 2.6.4, as these are also affected and still in supported range.\n\n### For more information                \nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n    \n### Attribution\nThis vulnerability has been reported by Neophytos Christou from Secure Systems Lab at Brown University.\n",
  "id": "GHSA-2vv3-56qg-g2cf",
  "modified": "2022-05-24T22:10:01Z",
  "published": "2022-05-24T22:10:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-2vv3-56qg-g2cf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29200"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/commit/803404044ae7a1efac48ba82d74111fce1ddb09a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tensorflow/tensorflow"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/blob/f3b9bf4c3c0597563b289c0512e98d4ce81f886e/tensorflow/core/kernels/rnn/lstm_ops.cc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/releases/tag/v2.6.4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/releases/tag/v2.7.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/releases/tag/v2.8.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/releases/tag/v2.9.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Missing validation causes denial of service via `LSTMBlockCell`"
}

GHSA-2XC5-QJQV-QJRP

Vulnerability from github – Published: 2026-06-15 21:30 – Updated: 2026-06-15 21:30
VLAI
Details

Unauthenticated Other Vulnerability Type in WpEvently <= 5.3.3 versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-45441"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1284"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-15T21:17:03Z",
    "severity": "HIGH"
  },
  "details": "Unauthenticated Other Vulnerability Type in WpEvently \u003c= 5.3.3 versions.",
  "id": "GHSA-2xc5-qjqv-qjrp",
  "modified": "2026-06-15T21:30:47Z",
  "published": "2026-06-15T21:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45441"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/mage-eventpress/vulnerability/wordpress-wpevently-plugin-5-3-3-other-vulnerability-type-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-33XP-654M-3J2X

Vulnerability from github – Published: 2025-02-25 21:31 – Updated: 2025-02-25 21:31
VLAI
Details

NVIDIA CUDA toolkit for Linux and Windows contains a vulnerability in the cuobjdump binary, where a user could cause a crash by passing a malformed ELF file to cuobjdump. A successful exploit of this vulnerability might lead to a partial denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-53879"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1284"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-25T21:15:17Z",
    "severity": "LOW"
  },
  "details": "NVIDIA CUDA toolkit for Linux and Windows contains a vulnerability in the cuobjdump binary, where a user could cause a crash by passing a malformed ELF file to cuobjdump. A successful exploit of this vulnerability might lead to a partial denial of service.",
  "id": "GHSA-33xp-654m-3j2x",
  "modified": "2025-02-25T21:31:45Z",
  "published": "2025-02-25T21:31:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53879"
    },
    {
      "type": "WEB",
      "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5594"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-379R-2P3H-M47V

Vulnerability from github – Published: 2026-06-10 15:31 – Updated: 2026-06-10 15:31
VLAI
Details

libnfs through 6.0.2 before 55c18ea does not validate a string size, leading to an integer overflow during a connection to a crafted NFS server. This occurs in libnfs_zdr_string in lib/libnfs-zdr.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-53689"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1284"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-10T15:16:42Z",
    "severity": "HIGH"
  },
  "details": "libnfs through 6.0.2 before 55c18ea does not validate a string size, leading to an integer overflow during a connection to a crafted NFS server. This occurs in libnfs_zdr_string in lib/libnfs-zdr.c.",
  "id": "GHSA-379r-2p3h-m47v",
  "modified": "2026-06-10T15:31:33Z",
  "published": "2026-06-10T15:31:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53689"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sahlberg/libnfs/commit/55c18ea33a83d667f79f0ef209c96895795c729f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-37V8-9C9H-3MQR

Vulnerability from github – Published: 2023-05-16 00:30 – Updated: 2024-04-04 04:10
VLAI
Details

In keyinstall, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07576951; Issue ID: ALPS07576951.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-20709"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1284",
      "CWE-20"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-15T22:15:11Z",
    "severity": "MODERATE"
  },
  "details": "In keyinstall, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07576951; Issue ID: ALPS07576951.",
  "id": "GHSA-37v8-9c9h-3mqr",
  "modified": "2024-04-04T04:10:42Z",
  "published": "2023-05-16T00:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20709"
    },
    {
      "type": "WEB",
      "url": "https://corp.mediatek.com/product-security-bulletin/May-2023"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-37VV-65J3-R854

Vulnerability from github – Published: 2023-04-01 06:31 – Updated: 2023-04-10 15:30
VLAI
Details

NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer driver nvlddmkm.sys, where an can cause CWE-1284, which may lead to hypothetical Information leak of unimportant data such as local variable data of the driver

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-0195"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1284"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-01T05:15:00Z",
    "severity": "LOW"
  },
  "details": "NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer driver nvlddmkm.sys, where an can cause CWE-1284, which may lead to hypothetical Information leak of unimportant data such as local variable data of the driver",
  "id": "GHSA-37vv-65j3-r854",
  "modified": "2023-04-10T15:30:26Z",
  "published": "2023-04-01T06:31:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0195"
    },
    {
      "type": "WEB",
      "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5452"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202310-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3C68-7MFH-FV9V

Vulnerability from github – Published: 2021-12-24 00:00 – Updated: 2023-08-08 15:31
VLAI
Details

In Open5GS 2.4.0, a crafted packet from UE can crash SGW-U/UPF.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-45462"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1284",
      "CWE-20"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-23T04:15:00Z",
    "severity": "HIGH"
  },
  "details": "In Open5GS 2.4.0, a crafted packet from UE can crash SGW-U/UPF.",
  "id": "GHSA-3c68-7mfh-fv9v",
  "modified": "2023-08-08T15:31:26Z",
  "published": "2021-12-24T00:00:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45462"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open5gs/open5gs/commit/a0f2535cb5a29bba6dbbccdb90c74ccd770cc700"
    },
    {
      "type": "WEB",
      "url": "https://www.trendmicro.com/en_us/research/23/i/attacks-on-5g-infrastructure-from-users-devices.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3CXC-PHXH-65VQ

Vulnerability from github – Published: 2025-04-21 00:30 – Updated: 2025-11-03 21:33
VLAI
Details

In LibRaw before 0.21.4, tag 0x412 processing in phase_one_correct in decoders/load_mfbacks.cpp does not enforce minimum w0 and w1 values.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-43964"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1284"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-21T00:15:33Z",
    "severity": "LOW"
  },
  "details": "In LibRaw before 0.21.4, tag 0x412 processing in phase_one_correct in decoders/load_mfbacks.cpp does not enforce minimum w0 and w1 values.",
  "id": "GHSA-3cxc-phxh-65vq",
  "modified": "2025-11-03T21:33:41Z",
  "published": "2025-04-21T00:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43964"
    },
    {
      "type": "WEB",
      "url": "https://github.com/LibRaw/LibRaw/commit/a50dc3f1127d2e37a9b39f57ad9bb2ebb60f18c0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/LibRaw/LibRaw/compare/0.21.3...0.21.4"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00038.html"
    },
    {
      "type": "WEB",
      "url": "https://www.libraw.org/news/libraw-0-21-4-release"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

No CAPEC attack patterns related to this CWE.