Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
CWE-478 Base Borrador
Missing Default Case in Multiple Condition Expression
This vulnerability occurs when code with multiple conditional branches, like a switch statement, lacks a default case to handle unexpected values.
Definición
What is CWE-478?
This vulnerability occurs when code with multiple conditional branches, like a switch statement, lacks a default case to handle unexpected values.
When a switch or similar multi-branch statement has no default case, any unhandled input value can cause the program to take no action or follow an incorrect logic path. This creates a silent failure point where the application's behavior becomes unpredictable, often leading to logic errors, data corruption, or crashes that can be exploited to bypass security controls or disrupt service.
Managing this at scale is difficult; an ASPM like Plexicus can help you track and remediate these flaws across your entire stack. While SAST tools catch the pattern, Plexicus uses AI to suggest the actual code fix—such as adding a default case to log, throw an exception, or assign a safe fallback value—saving hours of manual work and preventing cascading failures from poor error handling.
Impacto en el mundo real
Real-world CVEs caused by CWE-478
Todavía no hay CVEs públicos enlazados a esta CWE en el catálogo de MITRE.
Cómo lo explotan los atacantes
Ruta del atacante paso a paso
- 1
The following does not properly check the return code in the case where the security_check function returns a -1 value when an error occurs. If an attacker can supply data that will invoke an error, the attacker can bypass the security check:
- 2
Instead a default label should be used for unaccounted conditions:
- 3
This label is used because the assumption cannot be made that all possible cases are accounted for. A good practice is to reserve the default case for error handling.
- 4
In the following Java example the method getInterestRate retrieves the interest rate for the number of points for a mortgage. The number of points is provided within the input parameter and a switch statement will set the interest rate value to be returned based on the number of points.
- 5
However, this code assumes that the value of the points input parameter will always be 0, 1 or 2 and does not check for other incorrect values passed to the method. This can be easily accomplished by providing a default label in the switch statement that outputs an error message indicating an invalid value for the points input parameter and returning a null value.
Ejemplo de código vulnerable
Vulnerable C
The following does not properly check the return code in the case where the security_check function returns a -1 value when an error occurs. If an attacker can supply data that will invoke an error, the attacker can bypass the security check:
#define FAILED 0
#define PASSED 1
int result;
...
result = security_check(data);
switch (result) {
case FAILED:
printf("Security check failed!\n");
exit(-1);
```
//Break never reached because of exit()*
break;
case PASSED:
```
printf("Security check passed.\n");
break;
}
```
// program execution continues...*
... Ejemplo de código seguro
Secure C
Instead a default label should be used for unaccounted conditions:
#define FAILED 0
#define PASSED 1
int result;
...
result = security_check(data);
switch (result) {
case FAILED:
printf("Security check failed!\n");
exit(-1);
```
//Break never reached because of exit()*
break;
case PASSED:
```
printf("Security check passed.\n");
break;
default:
printf("Unknown error (%d), exiting...\n",result);
exit(-1);
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de prevención
How to prevent CWE-478
- Implementation Ensure that there are no cases unaccounted for when adjusting program flow or values based on the value of a given variable. In the case of switch style statements, the very simple act of creating a default case can, if done correctly, mitigate this situation. Often however, the default case is used simply to represent an assumed option, as opposed to working as a check for invalid input. This is poor practice and in some cases is as bad as omitting a default case entirely.
Señales de detección
How to detect CWE-478
Plexicus detecta automáticamente CWE-478 y abre un PR de corrección en menos de 60 segundos.
Codex Remedium escanea cada commit, identifica esta debilidad concreta y entrega un pull request listo para revisión con el parche. Sin tickets. Sin traspasos.
Preguntas frecuentes ¿Qué es CWE-478?
¿Qué gravedad tiene CWE-478?
¿Qué lenguajes o plataformas se ven afectados por CWE-478?
¿Cómo puedo prevenir CWE-478?
¿Cómo detecta y corrige Plexicus CWE-478?
¿Dónde puedo aprender más sobre CWE-478?
Frequently asked questions
¿Qué es CWE-478?
This vulnerability occurs when code with multiple conditional branches, like a switch statement, lacks a default case to handle unexpected values.
¿Qué gravedad tiene CWE-478?
MITRE no ha publicado una calificación de probabilidad de explotación para esta debilidad. Trátala como de impacto medio hasta que tu modelo de amenazas demuestre lo contrario.
¿Qué lenguajes o plataformas se ven afectados por CWE-478?
MITRE lists the following affected platforms: C, C++, Java, C#, Python, JavaScript.
¿Cómo puedo prevenir CWE-478?
Ensure that there are no cases unaccounted for when adjusting program flow or values based on the value of a given variable. In the case of switch style statements, the very simple act of creating a default case can, if done correctly, mitigate this situation. Often however, the default case is used simply to represent an assumed option, as opposed to working as a check for invalid input. This is poor practice and in some cases is as bad as omitting a default case entirely.
¿Cómo detecta y corrige Plexicus CWE-478?
El motor SAST de Plexicus detecta la firma de flujo de datos para CWE-478 en cada commit. Cuando hay coincidencia, nuestro agente Codex Remedium abre un PR de corrección con el código corregido, las pruebas y un resumen de una línea para el revisor.
¿Dónde puedo aprender más sobre CWE-478?
MITRE publica la definición canónica en https://cwe.mitre.org/data/definitions/478.html. También puedes consultar la documentación de OWASP y NIST para guías relacionadas.
Debilidades relacionadas
Weaknesses related to CWE-478
CWE-1023 Padre
Incomplete Comparison with Missing Factors
This weakness occurs when a program compares two items but fails to check all the necessary attributes that define their true…
CWE-184 Hermano
Incomplete List of Disallowed Inputs
This vulnerability occurs when a security filter or validation mechanism relies on a 'denylist'—a predefined list of forbidden inputs—but…
CWE-187 Hermano
Partial String Comparison
This weakness occurs when software checks only part of a string or token to determine a match, instead of comparing the entire value. This…
CWE-839 Hermano
Numeric Range Comparison Without Minimum Check
This vulnerability occurs when software validates that a number is within an acceptable range by only checking that it's less than or…
Listo cuando tú lo estés
Deja de pagar por desarrollador.
Empieza a cerrar el bucle.
Plexicus es el ASPM nativo de IA que escanea, filtra, corrige, pentestea y explica — de forma autónoma. Desarrolladores ilimitados, repos ilimitados, acciones de IA de uso justo. Nivel gratuito real, €269/mo anual cuando estés listo.