CWE-1071 Base Incomplete

Empty Code Block

An empty code block occurs when a section of source code, such as a conditional statement or function body, contains no executable statements.

Definition

What is CWE-1071?

An empty code block occurs when a section of source code, such as a conditional statement or function body, contains no executable statements.
Empty blocks can appear in various places like if/else conditionals, loops, function definitions, or exception handlers. While sometimes intentionally used as a placeholder, they often signal problems like incomplete features, accidentally deleted logic, or unexpected behavior from macros or code generators. For developers, these empty blocks are a red flag. Even if the language syntax allows them, they frequently violate API contracts or expected program behavior, leading to silent failures or security issues where an action is assumed but never executed. Code reviews should actively identify and justify any empty block to prevent unintentional gaps in application logic.
Auswirkungen in der Praxis

Real-world CVEs caused by CWE-1071

Bisher sind in MITREs Katalog keine öffentlichen CVE-Referenzen mit dieser CWE verknüpft.

Wie Angreifer es ausnutzen

Angreiferpfad Schritt für Schritt

  1. 1

    In the following Java example, the code catches an ArithmeticException.

  2. 2

    Since the exception block is empty, no action is taken.

  3. 3

    In the code below the exception has been logged and the bad execution has been handled in the desired way allowing the program to continue in an expected way.

  4. 4

    The following code attempts to synchronize on an object, but does not execute anything in the synchronized block. This does not actually accomplish anything and may be a sign that a programmer is wrestling with synchronization but has not yet achieved the result they intend.

  5. 5

    Instead, in a correct usage, the synchronized statement should contain procedures that access or modify data that is exposed to multiple threads. For example, consider a scenario in which several threads are accessing student records at the same time. The method which sets the student ID to a new value will need to make sure that nobody else is accessing this data at the same time and will require synchronization.

Verwundbares Codebeispiel

Vulnerable Java

In the following Java example, the code catches an ArithmeticException.

Verwundbar Java 
public class Main {
  	public static void main(String[] args) { 
  		int a = 1; 
  		int b = 0; 
  		int c = 0;
  		try { 
  			c = a / b;
  		} catch(ArithmeticException ae) { 
  		}
  	}
  }
Sicheres Codebeispiel

Secure Java

In the code below the exception has been logged and the bad execution has been handled in the desired way allowing the program to continue in an expected way.

Sicher Java 
public class Main {
  	public static void main(String[] args) { 
  		int a = 1; 
  		int b = 0; 
  		int c = 0;
  		try { 
  			c = a / b;
  		} catch(ArithmeticException ae) { 
  			log.error("Divided by zero detected, setting to -1."); 
  			c = -1;
  		}
  	}
  }
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Präventions-Checkliste

How to prevent CWE-1071

  • Architecture Use safe-by-default frameworks and APIs that prevent the unsafe pattern from being expressible.
  • Implementation Validate input at trust boundaries; use allowlists, not denylists.
  • Implementation Apply the principle of least privilege to credentials, file paths, and runtime permissions.
  • Testing Cover this weakness in CI: SAST rules + targeted unit tests for the data flow.
  • Operation Monitor logs for the runtime signals listed in the next section.
Erkennungssignale

How to detect CWE-1071

SAST High

Führe statische Analyse (SAST) auf der Codebasis aus und suche im Datenfluss nach dem unsicheren Muster.

DAST Moderate

Führe dynamische Application-Security-Tests gegen den Live-Endpoint aus.

Runtime Moderate

Beobachte Runtime-Logs auf ungewöhnliche Exception-Traces, fehlerhafte Eingaben oder Versuche, Autorisierung zu umgehen.

Code review Moderate

Code Review: Markiere jeden neuen Code, der Eingaben von dieser Oberfläche ohne validierte Framework-Helper verarbeitet.

Plexicus Auto-Fix

Plexicus erkennt CWE-1071 automatisch und öffnet in unter 60 Sekunden einen Fix-PR.

Codex Remedium scannt jeden Commit, identifiziert genau diese Schwachstelle und liefert einen reviewer-ready Pull Request mit dem Patch. Keine Tickets. Keine Hand-offs.

Demo anfordern Plexicus kostenlos testen
Häufig gestellte Fragen

Frequently asked questions

Was ist CWE-1071?

An empty code block occurs when a section of source code, such as a conditional statement or function body, contains no executable statements.

Wie gravierend ist CWE-1071?

MITRE hat für diese Schwachstelle keine Exploit-Wahrscheinlichkeit veröffentlicht. Behandle sie als mittlere Auswirkung, bis dein Threat Model anderes belegt.

Welche Sprachen oder Plattformen sind von CWE-1071 betroffen?

MITRE hat für diese CWE keine betroffenen Plattformen spezifiziert — sie kann in den meisten Anwendungs-Stacks auftreten.

Wie kann ich CWE-1071 verhindern?

Use safe-by-default frameworks, validate untrusted input at trust boundaries, and apply the principle of least privilege. Cover the data-flow signature in CI with SAST.

Wie erkennt und behebt Plexicus CWE-1071?

Die SAST-Engine von Plexicus erkennt die Datenfluss-Signatur von CWE-1071 bei jedem Commit. Bei einem Treffer öffnet unser Codex-Remedium-Agent einen Fix-PR mit korrigiertem Code, Tests und einer einzeiligen Zusammenfassung für den Reviewer.

Wo erfahre ich mehr über CWE-1071?

MITRE veröffentlicht die kanonische Definition unter https://cwe.mitre.org/data/definitions/1071.html. Für ergänzende Hinweise kannst du auch die OWASP- und NIST-Dokumentation heranziehen.

Verwandte Schwachstellen

Weaknesses related to CWE-1071

CWE-1164 Parent

Irrelevant Code

Irrelevant code refers to sections of a program that have no impact on its execution, data, or logic. Removing this code would not change…

CWE-107 Sibling

Struts: Unused Validation Form

This vulnerability occurs when a Struts application contains validation form definitions that are no longer linked to any active form or…

CWE-110 Sibling

Struts: Validator Without Form Field

This vulnerability occurs when a Struts application's validation configuration file references form fields that no longer exist in the…

CWE-561 Sibling

Dead Code

Dead code refers to sections of a program that can never run during normal execution, effectively making them inactive and unreachable.

CWE-563 Sibling

Assignment to Variable without Use

This vulnerability occurs when a value is stored in a variable, but that variable is never read or used in subsequent code, creating a…

CWE-1069 Child

Empty Exception Block

This weakness occurs when a try-catch or try-finally block is present but contains no code to handle the caught exception or perform…

CWE-585 Child

Empty Synchronized Block

An empty synchronized block is a Java code construct where a synchronized block exists but contains no executable statements inside it.

Ressourcen

Further reading

Bereit, wenn du es bist

Schluss mit dem Bezahlen pro Entwickler.
Schließ den Kreislauf.

Plexicus ist die KI-native ASPM, die scannt, filtert, fixt, pentestet und erklärt — autonom. Unbegrenzte Entwickler, unbegrenzte Repos, Fair-Use-KI-Aktionen. Echter kostenloser Tarif, €269/mo jährlich, wenn du bereit bist.

Kostenlos starten Demo buchen