CWE-705: Incorrect Control Flow Scoping

Description

The product does not properly return control flow to the proper location after it has completed a task or detected an unusual condition.

Potential Impact

Other

Alter Execution Logic, Other

Demonstrative Examples

The following example attempts to resolve a hostname.

Bad

protected void doPost (HttpServletRequest req, HttpServletResponse res) throws IOException {String ip = req.getRemoteAddr();InetAddress addr = InetAddress.getByName(ip);...out.println("hello " + addr.getHostName());}

A DNS lookup failure will cause the Servlet to throw an exception.

This code queries a server and displays its status when a request comes from an authorized IP address.

Bad

$requestingIP = $_SERVER['REMOTE_ADDR'];if(!in_array($requestingIP,$ipAllowList)){echo "You are not authorized to view this page";http_redirect($errorPageURL);}$status = getServerStatus();echo $status;
                     ...

This code redirects unauthorized users, but continues to execute code after calling http_redirect(). This means even unauthorized users may be able to access the contents of the page or perform a DoS attack on the server being queried. Also, note that this code is vulnerable to an IP address spoofing attack (CWE-212).

Included in the doPost() method defined below is a call to System.exit() in the event of a specific exception.

Bad

Public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {try {...} catch (ApplicationSpecificException ase) {logger.error("Caught: " + ase.toString());System.exit(1);}}

Detection Methods

Automated Static Analysis — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE ID	Description
CVE-2023-21087	Java code in a smartphone OS can encounter a "boot loop" due to an uncaught exception
CVE-2014-1266	Chain: incorrect "goto" in Apple SSL product bypasses certificate validation, allowing Adversary-in-the-Middle (AITM) attack (Apple "goto fail" bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-56

Taxonomy Mappings

CERT C Secure Coding: ENV32-C — All exit handlers must return normally
CERT C Secure Coding: ERR04-C — Choose an appropriate termination strategy
The CERT Oracle Secure Coding Standard for Java (2011): THI05-J — Do not use Thread.stop() to terminate threads
The CERT Oracle Secure Coding Standard for Java (2011): ERR04-J — Do not complete abruptly from a finally block
The CERT Oracle Secure Coding Standard for Java (2011): ERR05-J — Do not let checked exceptions escape from a finally block
SEI CERT Perl Coding Standard: EXP31-PL — Do not suppress or ignore exceptions

Frequently Asked Questions

What is CWE-705?

CWE-705 (Incorrect Control Flow Scoping) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Class-level weakness. The product does not properly return control flow to the proper location after it has completed a task or detected an unusual condition.

How can CWE-705 be exploited?

Attackers can exploit CWE-705 (Incorrect Control Flow Scoping) to alter execution logic, other. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-705?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-705?

CWE-705 is classified as a Class-level weakness (High abstraction). It has been observed in 2 real-world CVEs.