CWE-1284
Improper Validation of Specified Quantity in Input
Incomplete
2020-02-24
00h00 +00:00
00h00 +00:00
2025-12-11
00h00 +00:00
00h00 +00:00
Notifications for a CWE
Stay informed of any changes for a specific CWE.
Name: Improper Validation of Specified Quantity in Input
The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.
General Informations
Modes Of Introduction
Implementation : Since quantities are often used to affect resource allocation or process financial data, they are often present in many places in the code.Applicable Platforms
Language
Class: Not Language-Specific (Often)Common Consequences
| Scope | Impact | Likelihood |
|---|---|---|
| Other Integrity Availability | Varies by Context, DoS: Resource Consumption (CPU), Modify Memory, Read Memory Note: When the quantity is not properly validated, then attackers can specify malicious quantities to cause excessive resource allocation, trigger unexpected failures, enable buffer overflows, etc. |
Observed Examples
| References | Description |
|---|---|
CVE-2025-46687 | Chain: Javascript engine code does not perform a length check (CWE-1284) leading to integer overflow (CWE-190) causing allocation of smaller buffer than expected (CWE-131) resulting in a heap-based buffer overflow (CWE-122) |
CVE-2019-19911 | Chain: Python library does not limit the resources used to process images that specify a very large number of bands (CWE-1284), leading to excessive memory consumption (CWE-789) or an integer overflow (CWE-190). |
CVE-2008-1440 | lack of validation of length field leads to infinite loop |
CVE-2008-2374 | lack of validation of string length fields allows memory consumption or buffer over-read |
Potential Mitigations
Phases : ImplementationDetection Methods
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)Vulnerability Mapping Notes
Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Comment : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Notes
This entry is still under development and will continue to see updates and content improvements.Submission
| Name | Organization | Date | Date release | Version |
|---|---|---|---|---|
| CWE Content Team | MITRE | 4.1 |
Modifications
| Name | Organization | Date | Comment |
|---|---|---|---|
| CWE Content Team | MITRE | updated Observed_Examples, Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Mapping_Notes, Relationships | |
| CWE Content Team | MITRE | updated Observed_Examples | |
| CWE Content Team | MITRE | updated Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Modes_of_Introduction, Observed_Examples, Weakness_Ordinalities |
