1. Home
  2. CWE Database
  3. CWE-241
Base · Medium

CWE-241: Improper Handling of Unexpected Data Type

The product does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z).

CWE-241 · Base Level ·2 CVEs ·2 Mitigations

Description

The product does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z).

Potential Impact

Integrity, Other

Varies by Context, Unexpected State

Mitigations & Prevention

Implementation

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across relat

Implementation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

Real-World CVE Examples

CVE IDDescription
CVE-1999-1156FTP server crash via PORT command with non-numeric character.
CVE-2004-0270Anti-virus product has assert error when line length is non-numeric.

CWE-228: Improper Handling of Syntactically Invalid Structure

The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the assoc...

Taxonomy Mappings

  • PLOVER: — Wrong Data Type
  • CERT C Secure Coding: FIO37-C — Do not assume that fgets() or fgetws() returns a nonempty string when successful

Frequently Asked Questions

What is CWE-241?

CWE-241 (Improper Handling of Unexpected Data Type) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z).

How can CWE-241 be exploited?

Attackers can exploit CWE-241 (Improper Handling of Unexpected Data Type) to varies by context, unexpected state. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-241?

Key mitigations include: Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not stric

What is the severity of CWE-241?

CWE-241 is classified as a Base-level weakness (Medium abstraction). It has been observed in 2 real-world CVEs.