logo

Improper Handling of Extra Parameters

Draft Variant
Structure: Simple
Description

This vulnerability occurs when a system fails to properly manage situations where it receives more parameters, fields, or arguments with the same name than it was designed to handle.

Extended Description

This flaw typically arises in web applications, APIs, or command-line interfaces that process user-supplied data without strict validation. For example, an attacker might submit multiple form fields with identical names, hoping the application will process only the first or last one predictably. The system's unexpected behavior when parsing these duplicate entries can lead to logic errors, security bypasses, or application crashes. To prevent this, developers should explicitly define and enforce the expected structure of incoming data. Server-side logic should reject requests containing unexpected duplicate parameters or define a clear rule for handling them (e.g., always using the first or last value). Input validation libraries and secure parsing functions are essential to ensure the application's logic aligns with its data handling assumptions, closing this common attack vector.
Common Consequences 1
Scope: Integrity

Impact: Unexpected State
Observed Examples 1
CVE-2003-1014MIE. multiple gateway/security products allow restriction bypass using multiple MIME fields with the same name, which are interpreted differently by clients.
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Implementation
Related Attack Patterns
Related Weaknesses
ChildOf: Improper Handling of Parameters (CWE-233)
Taxonomy Mapping
  • PLOVER
Notes
RelationshipThis type of problem has a big role in multiple interpretation vulnerabilities and various HTTP attacks.