1. Home
  2. CWE Database
  3. CWE-1287
Base · Medium

CWE-1287: Improper Validation of Specified Type of Input

The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.

CWE-1287 · Base Level ·2 CVEs ·1 Mitigations

Description

The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.

When input does not comply with the expected type, attackers could trigger unexpected errors, cause incorrect actions to take place, or exploit latent vulnerabilities that would not be possible if the input conformed with the expected type. This weakness can appear in type-unsafe programming languages, or in programming languages that support casting or conversion of an input to another type.

Potential Impact

Other

Varies by Context

Mitigations & Prevention

Implementation High

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across relat

Real-World CVE Examples

CVE IDDescription
CVE-2024-37032Large language model (LLM) management tool does not validate the format of a digest value (CWE-1287) from a private, untrusted model registry, enabling relative
CVE-2008-2223SQL injection through an ID that was supposed to be numeric.

CWE-20: Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the ...

CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')

The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later acce...

Frequently Asked Questions

What is CWE-1287?

CWE-1287 (Improper Validation of Specified Type of Input) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.

How can CWE-1287 be exploited?

Attackers can exploit CWE-1287 (Improper Validation of Specified Type of Input) to varies by context. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-1287?

Key mitigations include: Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not stric

What is the severity of CWE-1287?

CWE-1287 is classified as a Base-level weakness (Medium abstraction). It has been observed in 2 real-world CVEs.