logo

Missing Report of Error Condition

Draft Base
Structure: Simple
Description

This vulnerability occurs when a system fails to properly signal that an error has happened. Instead of returning a clear error code, status, or exception, the software continues as if nothing went wrong, leaving other components unaware of the failure.

Extended Description

When a function or system component encounters a problem but doesn't report it, the calling code assumes success and proceeds with invalid or corrupted data. This silent failure can cause cascading issues like data corruption, security bypasses, or system crashes further down the line, making debugging extremely difficult because the original error point is hidden. To prevent this, developers should design consistent error-handling contracts. Every function should explicitly return a status code, throw an exception, or use a language-specific mechanism to communicate failure. Logging the error internally is not enough—the calling process must receive a clear, actionable signal to handle the condition appropriately and avoid operating on unsafe assumptions.
Common Consequences 1
Scope: IntegrityOther

Impact: Varies by ContextUnexpected State

Errors that are not properly reported could place the system in an unexpected state that could lead to unintended behaviors.
Demonstrative Examples 1

ID : DX-185

In the following snippet from a doPost() servlet method, the server returns "200 OK" (default) even if an error occurs.

Code Example:

Bad
Java
java

// Something that may throw an exception.* ...} catch (Throwable t) { ``` logger.error("Caught: " + t.toString()); return; }

  
Observed Examples 5
[REF-1374]Chain: JavaScript-based cryptocurrency library can fall back to the insecure Math.random() function instead of reporting a failure (Missing Report of Error Condition), thus reducing the entropy (Insufficient Entropy in PRNG) and leading to generation of non-unique cryptographic keys for Bitcoin wallets (Use of Weak Credentials)
CVE-2004-0063Function returns "OK" even if another function returns a different status code than expected, leading to accepting an invalid PIN number.
CVE-2002-1446Error checking routine in PKCS#11 library returns "OK" status even when invalid signature is detected, allowing spoofed messages.
CVE-2002-0499Kernel function truncates long pathnames without generating an error, leading to operation on wrong directory.
CVE-2005-2459Function returns non-error value when a particular erroneous condition is encountered, leading to resultant NULL dereference.
  
References 1
Randstorm: You Can't Patch a House of Cards
Unciphered
14-11-2023
https://www.unciphered.com/disclosure-of-vulnerable-bitcoin-wallet-library-2/(2025-07-29)
ID: REF-1374
 
  
    
 
 
Applicable Platforms 
 
 
 
 
 
Languages:
 
 
 Not Language-Specific : Undetermined 
  
  
 
 
 
  
 
 
Modes of Introduction 
 
 
 
 
 
  Implementation  
 
 
 
          
 
 
Related Weaknesses 
 
 
 
 
  ChildOf:
 Improper Handling of Exceptional Conditions (CWE-755) 
  ChildOf:
 Incorrect Provision of Specified Functionality (CWE-684) 
  ChildOf:
 Improper Check or Handling of Exceptional Conditions (CWE-703) 
  ChildOf:
 Improper Check or Handling of Exceptional Conditions (CWE-703) 
 
 
 
 
Taxonomy Mapping 
  • PLOVER
  • The CERT Oracle Secure Coding Standard for Java (2011)
  • Software Fault Patterns