Function Call With Incorrect Argument Type

Description

This vulnerability occurs when a program calls a function or method but passes an argument of the wrong data type, which can cause unexpected behavior or security flaws.

Extended Description

This issue is most common in loosely typed languages like JavaScript or PHP, where the language doesn't enforce strict type checks at runtime. It can also happen in strongly typed languages when using features like variable argument lists or implicit type conversions, where the compiler cannot catch the mismatch before the code runs. When a function receives a type it doesn't expect—like a string instead of a number—it may crash, produce incorrect results, or trigger other weaknesses like buffer overflows or injection flaws. Developers should use explicit type checking, validation, and modern language features (like TypeScript or strict mode) to prevent these errors.

Common Consequences 1

Scope: Other

Impact: Quality Degradation

Potential Mitigations 1

Phase: Testing

Because this function call often produces incorrect behavior it will usually be detected during testing or normal operation of the product. During testing exercise all possible control paths will typically expose this weakness except in rare cases when the incorrect function call accidentally produces the correct results or if the provided argument type is very similar to the expected argument type.

Modes of Introduction

Implementation

Related Weaknesses

ChildOf:

Function Call with Incorrectly Specified Arguments (CWE-628)

Taxonomy Mapping

CERT C Secure Coding
CERT C Secure Coding
CERT C Secure Coding
CERT C Secure Coding
Software Fault Patterns