Null Byte Interaction Error (Poison Null Byte)

Description

This vulnerability occurs when software incorrectly processes null bytes (NUL characters) as data moves between different systems or programming languages, leading to unexpected and potentially dangerous behavior.

Extended Description

A null byte (\0) has different meanings across programming environments. In languages like C and C++, it marks the definitive end of a string. However, in higher-level languages like PHP, Perl, or Python, a null byte is treated as just another character within the string. The security risk emerges when data from these languages passes into underlying C-based functions or system calls, where the null byte suddenly becomes a terminator. This mismatch can truncate data, bypass filters, and create openings for attackers to manipulate how the application processes information. Attackers frequently exploit this discrepancy in path traversal attacks. By injecting a null byte into a filename (e.g., 'malicious.exe\0.txt'), they can terminate a hard-coded file extension appended by the application, causing the system to process a dangerous file type. This technique can also interfere with security checks, input validation, and regular expression parsing, making it a critical issue for web applications and software that bridges multiple language layers.

Common Consequences 1

Scope: Integrity

Impact: Unexpected State

Potential Mitigations 1

Phase: Implementation

Remove null bytes from all incoming strings.

Observed Examples 2

CVE-2005-4155NUL byte bypasses PHP regular expression check

CVE-2005-3153inserting SQL after a NUL byte bypasses allowlist regexp, enabling SQL injection

References 3

Perl CGI problems

Rain Forest Puppy

Phrack

09-09-1999

https://phrack.org/issues/55/7(2025-07-24)

ID: REF-514

0x00 vs ASP file upload scripts

Brett Moore

http://www.security-assessment.com/Whitepapers/0x00_vs_ASP_File_Uploads.pdf

ID: REF-515

ShAnKaR: multiple PHP application poison NULL byte vulnerability

ShAnKaR

https://seclists.org/fulldisclosure/2006/Sep/185(2023-04-07)

ID: REF-516

Applicable Platforms

Languages:

PHP : UndeterminedPerl : UndeterminedASP.NET : Undetermined

Modes of Introduction

Implementation

Related Weaknesses

ChildOf:

Improper Neutralization of Input Terminators (CWE-147)

ChildOf:

Interpretation Conflict (CWE-436)

Notes

TerminologyCurrent usage of "poison null byte" is typically related to this C/Perl/PHP interaction error, but the original term in 1998 was applied to an off-by-one buffer overflow involving a null byte.

Research GapThere are not many CVE examples, because the poison NULL byte is a design limitation, which typically is not included in CVE by itself. It is typically used as a facilitator manipulation to widen the scope of potential attacks against other vulnerabilities.