CWE-158: Improper Neutralization of Null Byte or NUL Character
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component.
Last updated
Overview
As data is parsed, an injected NUL character or null byte may cause the product to believe the input is terminated earlier than it actually is, or otherwise cause the input to be misinterpreted. This could then be used to inject potentially dangerous input that occurs after the null byte or otherwise bypass validation routines and other protection mechanisms.
Real-world CVEs
26 recorded CVEs are caused by CWE-158 (Improper Neutralization of Null Byte or NUL Character), including 2 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 8 new CWE-158 CVEs have been recorded so far in 2026 (7 in 2025).
- CVE-2025-47812CISA KEVCritical · CVSS 10.0 · EPSS 100th2025-07-10
- CVE-2009-1537CISA KEVHigh · CVSS 8.8 · EPSS 99th2009-05-29
- CVE-2020-14500Critical · CVSS 10.0 · EPSS 74th2020-08-25
- CVE-2025-14388
PhastPress <= 3.7 - Unauthenticated Arbitrary File Read via Null Byte Injection
Critical · CVSS 9.8 · EPSS 34th2025-12-23 - CVE-2023-5719Critical · CVSS 9.8 · EPSS 40th2023-11-06
- CVE-2025-55113
BMC Control-M/Agent unescaped NULL byte in access control list checks
Critical · CVSS 9.5 · EPSS 19th2025-09-16 - CVE-2022-20813
Cisco Expressway Series and Cisco TelePresence Video Communication Server Vulnerabilities
Critical · CVSS 9.0 · EPSS 60th2022-07-06 - CVE-2022-20812Critical · CVSS 9.0 · EPSS 76th2022-07-06
- CVE-2025-66263
Unauthenticated Arbitrary File Read via Null Byte Injection
High · CVSS 8.9 · EPSS 27th2025-11-26 - CVE-2025-9648
Denial of Service in CivetWeb
High · CVSS 8.7 · EPSS 49th2025-09-29 - CVE-2020-5363High · CVSS 8.6 · EPSS 25th2020-06-10
- CVE-2024-10921High · CVSS 8.1 · EPSS 42th2024-11-14
Showing 12 of 26 recorded CWE-158 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-158 vulnerabilitiesCommon consequences
What can happen when CWE-158 is exploited.
Unexpected State
Affects: Integrity
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Languages
How to prevent it
Practical mitigations for CWE-158, grouped by where in the lifecycle they apply.
Developers should anticipate that null characters or null bytes will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.
Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2008-1284 — NUL byte in theme name causes directory traversal impact to be worse
- CVE-2005-2008 — Source code disclosure using trailing null.
- CVE-2005-3293 — Source code disclosure using trailing null.
- CVE-2005-2061 — Trailing null allows file include.
- CVE-2002-1774 — Null character in MIME header allows detection bypass.
- CVE-2000-0149 — Web server allows remote attackers to view the source code for CGI programs via a null character (%00) at the end of a URL.
- CVE-2000-0671 — Web server earlier allows allows remote attackers to bypass access restrictions, list directory contents, and read source code by inserting a null character (%00) in the URL.
- CVE-2001-0738 — Logging system allows an attacker to cause a denial of service (hang) by causing null bytes to be placed in log messages.
- CVE-2001-1140 — Web server allows source code for executable programs to be read via a null character (%00) at the end of a request.
- CVE-2002-1031 — Protection mechanism for limiting file access can be bypassed using a null character (%00) at the end of the directory name.
- CVE-2002-1025 — Application server allows remote attackers to read JSP source code via an encoded null byte in an HTTP GET request, which causes the server to send the .JSP file unparsed.
- CVE-2003-0768 — XSS protection mechanism only checks for sequences with an alphabetical character following a (<), so a non-alphabetical or null character (%00) following a < may be processed.
- CVE-2004-0189 — Decoding function in proxy allows regular expression bypass in ACLs via URLs with null characters.
- CVE-2005-3153 — Null byte bypasses PHP regexp check (interaction error).
- CVE-2005-4155 — Null byte bypasses PHP regexp check (interaction error).
Terminology & mappings
Mapped taxonomies
- PLOVER: Null Character / Null Byte
- WASC: Null Byte Injection (28)
- Software Fault Patterns: Tainted input to command (SFP24)
Attack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-158.
- What is CWE-158?
- The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component.
- What CVEs are caused by CWE-158?
- 26 recorded CVEs are attributed to CWE-158, including CVE-2025-47812, CVE-2009-1537, CVE-2020-14500. 2 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- How do you prevent CWE-158?
- Developers should anticipate that null characters or null bytes will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.
- What are the consequences of CWE-158?
- Exploiting CWE-158 can lead to: Unexpected State.
- Is CWE-158 actively exploited?
- Yes. 2 CWE-158 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 26 recorded CVEs.
References
- MITRE CWE definition (CWE-158) (opens in a new tab)
- CWE-158 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-158
Get alerted the moment a new CWE-158 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.