logo

Improper Handling of Missing Values

Draft Variant
Structure: Simple
Description

This vulnerability occurs when software fails to properly check for or handle missing data values. It happens when a parameter, field, or argument name is provided, but its corresponding value is empty, blank, or null, and the system doesn't manage this absence safely.

Extended Description

Missing values are a common reality in data processing, but treating them incorrectly can lead to crashes, incorrect calculations, or security flaws. When a system assumes a value will always be present and proceeds without validation, it can trigger unexpected errors, expose internal system details, or create logic errors that attackers might exploit to bypass checks or corrupt data. To prevent this, developers should implement consistent validation at all data entry points. This means explicitly checking for null, empty strings, or blank values and defining a safe default behavior for each scenario, such as rejecting the input, using a sensible default, or returning a clear error message. Input sanitization and using allow-lists for expected values are also key defensive strategies.
Common Consequences 1
Scope: Integrity

Impact: Unexpected State
Demonstrative Examples 1

ID : DX-110

This Android application has registered to handle a URL when sent an intent:

Code Example:

Bad
Java


...*
IntentFilter filter = new IntentFilter("com.example.URLHandler.openURL");
MyReceiver receiver = new MyReceiver();
registerReceiver(receiver, filter);


java


java
The application assumes the URL will always be included in the intent. When the URL is not present, the call to getStringExtra() will return null, thus causing a null pointer exception when length() is called.
  
Observed Examples 4
CVE-2002-0422Blank Host header triggers resultant infoleak.
CVE-2000-1006Blank "charset" attribute in MIME header triggers crash.
CVE-2004-1504Blank parameter causes external error infoleak.
CVE-2005-2053Blank parameter causes external error infoleak.
   
  
    
 
 
Applicable Platforms 
 
 
 
 
 
Languages:
 
 
 Not Language-Specific : Undetermined 
  
  
 
 
 
  
 
 
Modes of Introduction 
 
 
 
 
 
  Implementation  
 
 
 
          
 
 
Related Weaknesses 
 
 
 
 
  ChildOf:
 Improper Handling of Values (CWE-229) 
 
 
 
 
Taxonomy Mapping 
  • PLOVER
  • The CERT Oracle Secure Coding Standard for Java (2011)
  
Notes 
Research GapSome "crash by port scan" bugs are probably due to this, but lack of diagnosis makes it difficult to be certain.