CWE-1284: Improper Validation of Specified Quantity in Input
The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.
Last updated
Overview
Specified quantities include size, length, frequency, price, rate, number of operations, time, and others. Code may rely on specified quantities to allocate resources, perform calculations, control iteration, etc.
Real-world CVEs
232 recorded CVEs are caused by CWE-1284 (Improper Validation of Specified Quantity in Input). The highest-severity and most recent are shown first. 92 new CWE-1284 CVEs have been recorded so far in 2026 (55 in 2025).
- CVE-2026-49777
WordPress Product Slider Pro for WooCommerce plugin < 3.5.4 - Backdoor vulnerability
Critical · CVSS 10.0 · EPSS 74th2026-06-05 - CVE-2024-8887Critical · CVSS 10.0 · EPSS 43th2024-09-18
- CVE-2026-25345
WordPress SimpLy Gallery plugin <= 3.3.2 - Arbitrary Code Execution vulnerability
Critical · CVSS 9.9 · EPSS 36th2026-03-25 - CVE-2025-55398Critical · CVSS 9.8 · EPSS 27th2025-08-22
- CVE-2025-43964Critical · CVSS 9.8 · EPSS 29th2025-04-20
- CVE-2022-25727Critical · CVSS 9.8 · EPSS 34th2022-11-15
- CVE-2009-4488Critical · CVSS 9.8 · EPSS 96th2010-01-13
- CVE-2008-2374Critical · CVSS 9.8 · EPSS 90th2008-07-07
- CVE-2026-33471
nimiq-block has skip block quorum bypass via out-of-range BitSet indices & u16 truncation
Critical · CVSS 9.6 · EPSS 12th2026-04-22 - CVE-2024-9369Critical · CVSS 9.6 · EPSS 44th2024-11-27
- CVE-2025-65548Critical · CVSS 9.1 · EPSS 29th2025-12-08
- CVE-2022-25769
Improper regex in htaccess file
Critical · CVSS 9.1 · EPSS 40th2024-09-18
Showing 12 of 232 recorded CWE-1284 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-1284 vulnerabilitiesCommon consequences
What can happen when CWE-1284 is exploited.
Varies by Context, DoS: Resource Consumption (CPU), Modify Memory, Read Memory
Affects: Other, Integrity, Availability
When the quantity is not properly validated, then attackers can specify malicious quantities to cause excessive resource allocation, trigger unexpected failures, enable buffer overflows, etc.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to prevent it
Practical mitigations for CWE-1284, grouped by where in the lifecycle they apply.
Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Effectiveness: High
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
This example demonstrates a shopping interaction in which the user is free to specify the quantity of items to be purchased and a total is calculated.
The user has no control over the price variable, however the code does not prevent a negative value from being specified for quantity. If an attacker were to provide a negative value, then the user would have their account credited instead of debited.
This example asks the user for a height and width of an m X n game board with a maximum dimension of 100 squares.
Vulnerable example
/* board dimensions */
...While this code checks to make sure the user cannot specify large, positive integers and consume too much memory, it does not check for negative values supplied by the user. As a result, an attacker can perform a resource consumption (CWE-400) attack against this program by specifying two, large negative values that will not overflow, resulting in a very large memory allocation (CWE-789) and possibly a system crash. Alternatively, an attacker can provide very large negative values which will cause an integer overflow (CWE-190) and unexpected behavior will follow depending on how the values are treated in the remainder of the program.
The following code is a workflow job written using YAML. The code attempts to download pull request artifacts, unzip from the artifact called pr.zip and extract the value of the file NR into a variable "pr_number" that will be used later in another job. It attempts to create a github workflow environment variable, writing to $GITHUB_ENV. The environment variable value is retrieved from an external resource.
Vulnerable example
deploy:The following PHP code could be from a shopping cart application. It allows users to apply a discount to an item.
Vulnerable example
$discount = $_POST['discount'];Safe example
// only these discounts are valid
$original_price = 100.00;Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2025-4037 — ATM simulator does not check for negative values with deposits or withdrawals, allowing attackers to increase their balance
- CVE-2025-46687 — Chain: Javascript engine code does not perform a length check (CWE-1284) leading to integer overflow (CWE-190) causing allocation of smaller buffer than expected (CWE-131) resulting in a heap-based buffer overflow (CWE-122)
- CVE-2019-19911 — Chain: Python library does not limit the resources used to process images that specify a very large number of bands (CWE-1284), leading to excessive memory consumption (CWE-789) or an integer overflow (CWE-190).
- CVE-2008-1440 — lack of validation of length field leads to infinite loop
- CVE-2008-2374 — lack of validation of string length fields allows memory consumption or buffer over-read
Frequently asked questions
Common questions about CWE-1284.
- What is CWE-1284?
- The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.
- What CVEs are caused by CWE-1284?
- 232 recorded CVEs are attributed to CWE-1284, including CVE-2026-49777, CVE-2024-8887, CVE-2026-25345.
- How do you prevent CWE-1284?
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- How is CWE-1284 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-1284?
- Exploiting CWE-1284 can lead to: Varies by Context, DoS: Resource Consumption (CPU), Modify Memory, Read Memory.
- Is CWE-1284 actively exploited?
- 232 recorded CVEs are caused by CWE-1284; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-1284) (opens in a new tab)
- CWE-1284 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-1284
Get alerted the moment a new CWE-1284 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.