logo

Improper Handling of Undefined Parameters

Draft Variant
Structure: Simple
Description

This vulnerability occurs when software fails to properly manage input parameters, field names, or arguments that it doesn't recognize or support. Instead of rejecting or safely ignoring the undefined input, the system may behave unpredictably, leading to errors or security issues.

Extended Description

When an application receives a parameter it wasn't designed to handle—like an unexpected URL query string, form field, or API argument—its default behavior becomes critical. A secure application should explicitly validate all input against a known schema and reject anything undefined. However, vulnerable systems might incorrectly process this data, potentially causing crashes, logic errors, or exposing internal details through error messages. Developers can prevent this by implementing strict input validation and adopting a "deny-by-default" approach. This means defining an explicit allowlist of accepted parameters and having a consistent error-handling routine for anything outside that list. Common fixes include returning a standardized error response, logging the attempt for monitoring, and ensuring no undefined parameter influences the application's core logic or data flow.
Common Consequences 1
Scope: Integrity

Impact: Unexpected State
Observed Examples 2
CVE-2002-1488Crash in IRC client via PART message from a channel the user is not in.
CVE-2001-0650Router crash or bad route modification using BGP updates with invalid transitive attribute.
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Implementation
Related Weaknesses
ChildOf: Improper Handling of Parameters (CWE-233)
Taxonomy Mapping
  • PLOVER