CWE-1114: Inappropriate Whitespace Style
The source code contains whitespace that is inconsistent across the code or does not follow expected standards for the product.
Overview
CWE-1114 (Inappropriate Whitespace Style) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Common consequences
What can happen when CWE-1114 is exploited.
Increase Analytical Complexity
Affects: Other
A human auditor might indirectly trust that whitespace (especially indentation) reflects the actual control flow of the code, which could make it more difficult to find vulnerabilities.
Reduce Maintainability
Affects: Other
This issue makes it more difficult to understand and maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2014-1266 — Chain: incorrect "goto" in Apple SSL product bypasses certificate validation, allowing Adversary-in-the-Middle (AITM) attack (Apple "goto fail" bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-561 (Dead Code) -> CWE-295 (Improper Certificate Validation) -> CWE-393 (Return of Wrong Status Code) -> CWE-300 (Channel Accessible by Non-Endpoint). The code's whitespace indentation did not reflect the actual control flow (CWE-1114) and did not explicitly delimit the block (CWE-483), which could have made it more difficult for human code auditors to detect the vulnerability.