1. Home
  2. CWE Database
  3. CWE-166
Base · Medium

CWE-166: Improper Handling of Missing Special Element

The product receives input from an upstream component, but it does not handle or incorrectly handles when an expected special element is missing.

CWE-166 · Base Level ·3 CVEs ·3 Mitigations

Description

The product receives input from an upstream component, but it does not handle or incorrectly handles when an expected special element is missing.

Potential Impact

Availability

DoS: Crash, Exit, or Restart

Mitigations & Prevention

General

Developers should anticipate that special elements will be removed in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.

Implementation

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across relat

Implementation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

Real-World CVE Examples

CVE IDDescription
CVE-2002-1362Crash via message type without separator character
CVE-2002-0729Missing special character (separator) causes crash
CVE-2002-1532HTTP GET without \r\n\r\n CRLF sequences causes product to wait indefinitely and prevents other users from accessing it

CWE-159: Improper Handling of Invalid Use of Special Elements

The product does not properly filter, remove, quote, or otherwise manage the invalid use of special elements in user-con...

CWE-228: Improper Handling of Syntactically Invalid Structure

The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the assoc...

Taxonomy Mappings

  • PLOVER: — Missing Special Element

Frequently Asked Questions

What is CWE-166?

CWE-166 (Improper Handling of Missing Special Element) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product receives input from an upstream component, but it does not handle or incorrectly handles when an expected special element is missing.

How can CWE-166 be exploited?

Attackers can exploit CWE-166 (Improper Handling of Missing Special Element) to dos: crash, exit, or restart. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-166?

Key mitigations include: Developers should anticipate that special elements will be removed in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and

What is the severity of CWE-166?

CWE-166 is classified as a Base-level weakness (Medium abstraction). It has been observed in 3 real-world CVEs.