Return of Wrong Status Code

Description

This vulnerability occurs when a function returns an inaccurate status code or value that misrepresents the actual outcome of an operation. This false signal can cause the application to behave in unexpected and potentially insecure ways.

Extended Description

When a system relies on these incorrect return codes to make decisions, it can lead to unpredictable application states, logic errors, and instability. For example, a function might incorrectly report a successful file deletion or a failed authentication check, causing the program flow to proceed down the wrong path. If these status checks are part of security-critical logic—like access control, authentication, or data validation—the consequences are severe. The application might grant access to unauthorized users, assume a dangerous operation succeeded safely, or fail to alert on genuine security failures, creating hidden vulnerabilities that attackers can exploit.

Common Consequences 1

Scope: IntegrityOther

Impact: Unexpected StateAlter Execution Logic

This weakness could place the system in a state that could lead unexpected logic to be executed or other unintended behaviors.

Detection Methods 1

FuzzingHigh

Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.

Demonstrative Examples 1

ID : DX-186

In the following example, an HTTP 404 status code is returned in the event of an IOException encountered in a Java servlet. A 404 code is typically meant to indicate a non-existent resource and would be somewhat misleading in this case.

Code Example:

Bad

Java

java

// something that might throw IOException* ...} catch (IOException ioe) { ``` response.sendError(SC_NOT_FOUND); }

Observed Examples 4

CVE-2003-1132DNS server returns wrong response code for non-existent AAAA record, which effectively says that the domain is inaccessible.

CVE-2001-1509Hardware-specific implementation of system call causes incorrect results from geteuid.

CVE-2001-1559Chain: System call returns wrong value (Return of Wrong Status Code), leading to a resultant NULL dereference (NULL Pointer Dereference).

CVE-2014-1266chain: incorrect "goto" in Apple SSL product bypasses certificate validation, allowing Adversary-in-the-Middle (AITM) attack (Apple "goto fail" bug). Incorrect Control Flow Scoping (Incorrect Control Flow Scoping) -> Dead Code (Dead Code) -> Improper Certificate Validation (Improper Certificate Validation) -> Return of Wrong Status Code (Return of Wrong Status Code) -> Channel Accessible by Non-Endpoint (Channel Accessible by Non-Endpoint).

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Modes of Introduction

Implementation

Related Weaknesses

ChildOf:

Incorrect Provision of Specified Functionality (CWE-684)

ChildOf:

Improper Check or Handling of Exceptional Conditions (CWE-703)

Taxonomy Mapping

PLOVER
Software Fault Patterns

Notes

RelationshipThis can be primary or resultant, but it is probably most often primary to other issues.