Improper Handling of Unexpected Data Type

Description

This vulnerability occurs when software fails to properly validate or safely process data that arrives in an unexpected format. For example, the system might expect a numeric input but receives text instead, leading to crashes, errors, or security issues.

Extended Description

At its core, this weakness is about broken assumptions in your code's data handling. Developers often write logic expecting data in a specific format—like integers, strings, or structured objects. When the incoming data doesn't match that type (e.g., a user submits 'abc' where a number is required), the application may throw unhandled exceptions, behave unpredictably, or expose internal system details through error messages. To prevent this, implement strict input validation and type checking at all system boundaries. Use strong typing in your programming language where possible, and always sanitize and verify data from external sources like user inputs, APIs, or files before processing. Defensive coding practices, such as using try-catch blocks and designing functions to handle a range of input types gracefully, are essential to maintain stability and security when faced with unexpected data.

Common Consequences 1

Scope: IntegrityOther

Impact: Varies by ContextUnexpected State

Potential Mitigations 2

Phase: Implementation

Strategy: Input Validation

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

Phase: Implementation

Strategy: Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (Incorrect Behavior Order: Validate Before Canonicalize). Make sure that the application does not decode the same input twice (Double Decoding of the Same Data). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

Observed Examples 2

CVE-1999-1156FTP server crash via PORT command with non-numeric character.

CVE-2004-0270Anti-virus product has assert error when line length is non-numeric.

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Modes of Introduction

Implementation

Related Attack Patterns

48
Path Equivalence: 'file name' (Internal Whitespace)

Related Weaknesses

ChildOf:

Improper Handling of Syntactically Invalid Structure (CWE-228)

Taxonomy Mapping

PLOVER
CERT C Secure Coding

Notes

Research GapProbably under-studied.