logo

Improper Validation of Specified Type of Input

Incomplete Base
Structure: Simple
Description

This vulnerability occurs when software expects a specific type of data as input but fails to properly check that the incoming data actually matches that type.

Extended Description

When software doesn't verify that input matches the expected data type, attackers can feed it malformed data. This can trigger system errors, force the application to behave incorrectly, or expose hidden security flaws that would normally be inaccessible with properly typed input. This issue is most common in programming languages that are not strictly type-safe or that allow explicit conversion between data types. Developers must implement explicit validation checks to ensure input conforms to the expected type before processing it, as relying on implicit assumptions creates a significant security gap.
Common Consequences 1
Scope: Other

Impact: Varies by Context
Potential Mitigations 1
Phase: Implementation

Strategy: Input Validation

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

Effectiveness: High
Observed Examples 2
CVE-2024-37032Large language model (LLM) management tool does not validate the format of a digest value (Improper Validation of Specified Type of Input) from a private, untrusted model registry, enabling relative path traversal (Relative Path Traversal), a.k.a. Probllama
CVE-2008-2223SQL injection through an ID that was supposed to be numeric.
Applicable Platforms
Languages:
Not Language-Specific : Often
Modes of Introduction
Implementation
Related Weaknesses
ChildOf: Improper Input Validation (CWE-20)
PeerOf: Access of Resource Using Incompatible Type ('Type Confusion') (CWE-843)
Notes
MaintenanceThis entry is still under development and will continue to see updates and content improvements.