- What is CWE-1284?
- The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.
- What CVEs are caused by CWE-1284?
- 232 recorded CVEs are attributed to CWE-1284, including CVE-2026-49777, CVE-2024-8887, CVE-2026-25345.
- How do you prevent CWE-1284?
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- How is CWE-1284 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-1284?
- Exploiting CWE-1284 can lead to: Varies by Context, DoS: Resource Consumption (CPU), Modify Memory, Read Memory.
- Is CWE-1284 actively exploited?
- 232 recorded CVEs are caused by CWE-1284; none are currently in CISA's KEV catalog of actively exploited flaws.