CWE-1284: Improper Validation of Specified Quantity in Input

Description

The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.

Specified quantities include size, length, frequency, price, rate, number of operations, time, and others. Code may rely on specified quantities to allocate resources, perform calculations, control iteration, etc.

Potential Impact

Other, Integrity, Availability

Varies by Context, DoS: Resource Consumption (CPU), Modify Memory, Read Memory

Demonstrative Examples

This example demonstrates a shopping interaction in which the user is free to specify the quantity of items to be purchased and a total is calculated.

Bad

...public static final double price = 20.00;int quantity = currentUser.getAttribute("quantity");double total = price * quantity;chargeUser(total);...

The user has no control over the price variable, however the code does not prevent a negative value from being specified for quantity. If an attacker were to provide a negative value, then the user would have their account credited instead of debited.

This example asks the user for a height and width of an m X n game board with a maximum dimension of 100 squares.

Bad

...#define MAX_DIM 100...
                     /* board dimensions */
                     
                     int m,n, error;board_square_t *board;printf("Please specify the board height: \n");error = scanf("%d", &m);if ( EOF == error ){die("No integer passed: Die evil hacker!\n");}printf("Please specify the board width: \n");error = scanf("%d", &n);if ( EOF == error ){die("No integer passed: Die evil hacker!\n");}if ( m > MAX_DIM || n > MAX_DIM ) {die("Value too large: Die evil hacker!\n");}board = (board_square_t*) malloc( m * n * sizeof(board_square_t));...

While this code checks to make sure the user cannot specify large, positive integers and consume too much memory, it does not check for negative values supplied by the user. As a result, an attacker can perform a resource consumption (CWE-400) attack against this program by specifying two, large negative values that will not overflow, resulting in a very large memory allocation (CWE-789) and possibly a system crash. Alternatively, an attacker can provide very large negative values which will cause an integer overflow (CWE-190) and unexpected behavior will follow depending on how the values are treated in the remainder of the program.

The following code is a workflow job written
	      using YAML. The code attempts to download pull request
	      artifacts, unzip from the artifact called pr.zip and
	      extract the value of the file NR into a variable
	      "pr_number" that will be used later in another job.  It
	      attempts to create a github workflow environment
	      variable, writing to $GITHUB_ENV. The environment
	      variable value is retrieved from an external
	      resource.

Bad

name: Deploy Preview
		jobs:
		
		  deploy:
		  
		    runs-on: ubuntu-latest
		    steps:
		    
		      - name: 'Download artifact'
		      uses: actions/github-script
		      with:
		      
			script: |
			
			  var artifacts = await github.actions.listWorkflowRunArtifacts({
			  
			    owner: context.repo.owner,
			    repo: context.repo.repo,
			    run_id: ${{ github.event.workflow_run.id }},
			  
			  });
			  var matchPrArtifact = artifacts.data.artifacts.filter((artifact) => {
			  
			    return artifact.name == "pr"
			  
			  })[0];
			  var downloadPr = await github.actions.downloadArtifact({
			  
			    owner: context.repo.owner,
			    repo: context.repo.repo,
			    artifact_id: matchPrArtifact.id,
			    archive_format: 'zip',
			  
			  });
			  var fs = require('fs');
			  fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(downloadPr.data));
			
		      
		      - run: |
		      
			unzip pr.zip
			echo "pr_number=$(cat NR)" >> $GITHUB_ENV

Attack

\nNODE_OPTIONS="--experimental-modules --experiments-loader=data:text/javascript,console.log('injected code');//"

Good

The code could be modified to validate that the NR
		file only contains a numeric value, or the code could
		retrieve the PR number from a more trusted source.

The following PHP code could be from a shopping cart application. It allows users to apply a discount to an item.

Bad

$discount = $_POST['discount'];
		  $originalPrice = 100.00;
		  $finalPrice = $originalPrice - ($originalPrice * $discount / 100);
		  processPayment($finalPrice);

This code does not validate or restrict the discount percentage. An attacker could submit a discount value of 100, making the final price zero, or a value greater than 100, making the final price negative. Depending on how processPayment() handles zero or negative amounts, this could result in unauthorized free purchases or other payment logic flaws, such as getting money credited instead of paying.

Good

$original_price = 100.00;
		  $allowed_discounts = [0, 10, 20, 50]; // only these discounts are valid
		  $discount = (int) ($_POST['discount'] ?? 0);
		  if (!in_array($discount, $allowed_discounts, true)) {
                  
		    http_response_code(400);
                    exit('Invalid discount.');
		  
		  }
		  $final_price = $original_price - ($original_price * $discount / 100);
		  if ($final_price <= 0) {
		  
		    http_response_code(400);
		    exit('Invalid final price.');
		  
		  }
		  processPayment($final_price);

Notice that this new code still allows the attacker to choose the highest discount, which might be against the business logic of the application. It would be better to store the discounts in a database where they cannot be directly influenced by users, but that is outside the scope of CWE-1284.

Mitigations & Prevention

Implementation High

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across relat

Detection Methods

Automated Static Analysis — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE ID	Description
CVE-2025-4037	ATM simulator does not check for negative values with deposits or withdrawals, allowing attackers to increase their balance
CVE-2025-46687	Chain: Javascript engine code does not perform a length check (CWE-1284) leading to integer overflow (CWE-190) causing allocation of smaller buffer than expected (CWE-131) resulting in a heap-based bu
CVE-2019-19911	Chain: Python library does not limit the resources used to process images that specify a very large number of bands (CWE-1284), leading to excessive memory consumption (CWE-789) or an integer overflow
CVE-2008-1440	lack of validation of length field leads to infinite loop
CVE-2008-2374	lack of validation of string length fields allows memory consumption or buffer over-read

Frequently Asked Questions

What is CWE-1284?

CWE-1284 (Improper Validation of Specified Quantity in Input) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.

How can CWE-1284 be exploited?

Attackers can exploit CWE-1284 (Improper Validation of Specified Quantity in Input) to varies by context, dos: resource consumption (cpu), modify memory, read memory. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-1284?

Key mitigations include: Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not stric

What is the severity of CWE-1284?

CWE-1284 is classified as a Base-level weakness (Medium abstraction). It has been observed in 5 real-world CVEs.