1. Home
  2. CWE Database
  3. CWE-248
Base · Medium

CWE-248: Uncaught Exception

An exception is thrown from a function, but it is not caught.

CWE-248 · Base Level ·2 CVEs

Description

An exception is thrown from a function, but it is not caught.

When an exception is not caught, it may cause the program to crash or expose sensitive information.

Potential Impact

Availability, Confidentiality

DoS: Crash, Exit, or Restart, Read Application Data

Demonstrative Examples

The following example attempts to resolve a hostname.
Bad
protected void doPost (HttpServletRequest req, HttpServletResponse res) throws IOException {String ip = req.getRemoteAddr();InetAddress addr = InetAddress.getByName(ip);...out.println("hello " + addr.getHostName());}
A DNS lookup failure will cause the Servlet to throw an exception.

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2023-41151SDK for OPC Unified Architecture (OPC UA) server has uncaught exception when a socket is blocked for writing but the server tries to send an error
CVE-2023-21087Java code in a smartphone OS can encounter a "boot loop" due to an uncaught exception

CWE-705: Incorrect Control Flow Scoping

The product does not properly return control flow to the proper location after it has completed a task or detected an un...

CWE-755: Improper Handling of Exceptional Conditions

The product does not handle or incorrectly handles an exceptional condition.

CWE-703: Improper Check or Handling of Exceptional Conditions

The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of t...

Taxonomy Mappings

  • 7 Pernicious Kingdoms: — Often Misused: Exception Handling
  • The CERT Oracle Secure Coding Standard for Java (2011): ERR05-J — Do not let checked exceptions escape from a finally block
  • The CERT Oracle Secure Coding Standard for Java (2011): ERR06-J — Do not throw undeclared checked exceptions
  • SEI CERT Perl Coding Standard: EXP31-PL — Do not suppress or ignore exceptions
  • Software Fault Patterns: SFP4 — Unchecked Status Condition

Frequently Asked Questions

What is CWE-248?

CWE-248 (Uncaught Exception) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. An exception is thrown from a function, but it is not caught.

How can CWE-248 be exploited?

Attackers can exploit CWE-248 (Uncaught Exception) to dos: crash, exit, or restart, read application data. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-248?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-248?

CWE-248 is classified as a Base-level weakness (Medium abstraction). It has been observed in 2 real-world CVEs.