Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
CWE-478 Base Draft
Missing Default Case in Multiple Condition Expression
This vulnerability occurs when code with multiple conditional branches, like a switch statement, lacks a default case to handle unexpected values.
Definition
What is CWE-478?
This vulnerability occurs when code with multiple conditional branches, like a switch statement, lacks a default case to handle unexpected values.
When a switch or similar multi-branch statement has no default case, any unhandled input value can cause the program to take no action or follow an incorrect logic path. This creates a silent failure point where the application's behavior becomes unpredictable, often leading to logic errors, data corruption, or crashes that can be exploited to bypass security controls or disrupt service.
Managing this at scale is difficult; an ASPM like Plexicus can help you track and remediate these flaws across your entire stack. While SAST tools catch the pattern, Plexicus uses AI to suggest the actual code fix—such as adding a default case to log, throw an exception, or assign a safe fallback value—saving hours of manual work and preventing cascading failures from poor error handling.
Real-world impact
Real-world CVEs caused by CWE-478
No public CVE references are linked to this CWE in MITRE's catalog yet.
How attackers exploit it
Step-by-step attacker path
- 1
The following does not properly check the return code in the case where the security_check function returns a -1 value when an error occurs. If an attacker can supply data that will invoke an error, the attacker can bypass the security check:
- 2
Instead a default label should be used for unaccounted conditions:
- 3
This label is used because the assumption cannot be made that all possible cases are accounted for. A good practice is to reserve the default case for error handling.
- 4
In the following Java example the method getInterestRate retrieves the interest rate for the number of points for a mortgage. The number of points is provided within the input parameter and a switch statement will set the interest rate value to be returned based on the number of points.
- 5
However, this code assumes that the value of the points input parameter will always be 0, 1 or 2 and does not check for other incorrect values passed to the method. This can be easily accomplished by providing a default label in the switch statement that outputs an error message indicating an invalid value for the points input parameter and returning a null value.
Vulnerable code example
Vulnerable C
The following does not properly check the return code in the case where the security_check function returns a -1 value when an error occurs. If an attacker can supply data that will invoke an error, the attacker can bypass the security check:
#define FAILED 0
#define PASSED 1
int result;
...
result = security_check(data);
switch (result) {
case FAILED:
printf("Security check failed!\n");
exit(-1);
```
//Break never reached because of exit()*
break;
case PASSED:
```
printf("Security check passed.\n");
break;
}
```
// program execution continues...*
... Secure code example
Secure C
Instead a default label should be used for unaccounted conditions:
#define FAILED 0
#define PASSED 1
int result;
...
result = security_check(data);
switch (result) {
case FAILED:
printf("Security check failed!\n");
exit(-1);
```
//Break never reached because of exit()*
break;
case PASSED:
```
printf("Security check passed.\n");
break;
default:
printf("Unknown error (%d), exiting...\n",result);
exit(-1);
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Prevention checklist
How to prevent CWE-478
- Implementation Ensure that there are no cases unaccounted for when adjusting program flow or values based on the value of a given variable. In the case of switch style statements, the very simple act of creating a default case can, if done correctly, mitigate this situation. Often however, the default case is used simply to represent an assumed option, as opposed to working as a check for invalid input. This is poor practice and in some cases is as bad as omitting a default case entirely.
Detection signals
How to detect CWE-478
Plexicus auto-detects CWE-478 and opens a fix PR in under 60 seconds.
Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.
Frequently asked questions What is CWE-478?
How serious is CWE-478?
What languages or platforms are affected by CWE-478?
How can I prevent CWE-478?
How does Plexicus detect and fix CWE-478?
Where can I learn more about CWE-478?
Frequently asked questions
What is CWE-478?
This vulnerability occurs when code with multiple conditional branches, like a switch statement, lacks a default case to handle unexpected values.
How serious is CWE-478?
MITRE has not published a likelihood-of-exploit rating for this weakness. Treat it as medium-impact until your threat model proves otherwise.
What languages or platforms are affected by CWE-478?
MITRE lists the following affected platforms: C, C++, Java, C#, Python, JavaScript.
How can I prevent CWE-478?
Ensure that there are no cases unaccounted for when adjusting program flow or values based on the value of a given variable. In the case of switch style statements, the very simple act of creating a default case can, if done correctly, mitigate this situation. Often however, the default case is used simply to represent an assumed option, as opposed to working as a check for invalid input. This is poor practice and in some cases is as bad as omitting a default case entirely.
How does Plexicus detect and fix CWE-478?
Plexicus's SAST engine matches the data-flow signature for CWE-478 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.
Where can I learn more about CWE-478?
MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/478.html. You can also reference OWASP and NIST documentation for adjacent guidance.
Related weaknesses
Weaknesses related to CWE-478
CWE-1023 Parent
Incomplete Comparison with Missing Factors
This weakness occurs when a program compares two items but fails to check all the necessary attributes that define their true…
CWE-184 Sibling
Incomplete List of Disallowed Inputs
This vulnerability occurs when a security filter or validation mechanism relies on a 'denylist'—a predefined list of forbidden inputs—but…
CWE-187 Sibling
Partial String Comparison
This weakness occurs when software checks only part of a string or token to determine a match, instead of comparing the entire value. This…
CWE-839 Sibling
Numeric Range Comparison Without Minimum Check
This vulnerability occurs when software validates that a number is within an acceptable range by only checking that it's less than or…
Ready when you are
Stop paying per developer.
Start closing the loop.
Plexicus is the AI-native ASPM that scans, filters, fixes, pentests, and explains — autonomously. Unlimited developers, unlimited repos, fair-use AI actions. Real free tier, €269/mo annual when you're ready.