CWE-172: Encoding Error
The product does not properly encode or decode the data, resulting in unexpected values.
Last updated
Overview
CWE-172 (Encoding Error) is a class-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Real-world CVEs
9 recorded CVEs are caused by CWE-172 (Encoding Error). The highest-severity and most recent are shown first. 2 new CWE-172 CVEs have been recorded so far in 2026 (2 in 2025).
- CVE-2019-10160Critical · CVSS 9.8 · EPSS 92th2019-06-07
- CVE-2025-12758High · CVSS 8.7 · EPSS 37th2025-11-27
- CVE-2025-27110
Libmodsecurity3 has possible bypass of encoded HTML entities
High · CVSS 7.9 · EPSS 37th2025-02-25 - CVE-2019-12677Medium · CVSS 6.5 · EPSS 72th2019-10-02
- CVE-2026-42926
NGINX ngx_http_proxy_v2_module vulnerability
Medium · CVSS 6.3 · EPSS 26th2026-05-13 - CVE-2026-48784
Symfony: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `../` or `./` → Generated URL Collapses Off-Route Under RFC 3986 Normalization
Medium · CVSS 5.1 · EPSS 18th2026-07-14 - CVE-2019-10153Medium · CVSS 5.0 · EPSS 80th2019-07-30
- CVE-2021-33604Low · CVSS 2.5 · EPSS 21th2021-06-24
- CVE-2024-48909Low · CVSS 2.4 · EPSS 23th2024-10-14
Common consequences
What can happen when CWE-172 is exploited.
Unexpected State
Affects: Integrity
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to prevent it
Practical mitigations for CWE-172, grouped by where in the lifecycle they apply.
Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2004-1315 — Forum software improperly URL decodes the highlight parameter when extracting text to highlight, which allows remote attackers to execute arbitrary PHP code by double-encoding the highlight value so that special characters are inserted into the result.
- CVE-2004-1939 — XSS protection mechanism attempts to remove "/" that could be used to close tags, but it can be bypassed using double encoded slashes (%252F)
- CVE-2001-0709 — Server allows a remote attacker to obtain source code of ASP files via a URL encoded with Unicode.
- CVE-2005-2256 — Hex-encoded path traversal variants - "%2e%2e", "%2e%2e%2f", "%5c%2e%2e"
Terminology & mappings
Mapped taxonomies
- PLOVER: Encoding Error
Attack patterns
CAPEC attack patterns that exploit this weakness.
- CAPEC-120: Double Encoding
- CAPEC-267: Leverage Alternate Encoding
- CAPEC-3: Using Leading 'Ghost' Character Sequences to Bypass Input Filters
- CAPEC-52: Embedding NULL Bytes
- CAPEC-53: Postfix, Null Terminate, and Backslash
- CAPEC-64: Using Slashes and URL Encoding Combined to Bypass Validation Logic
- CAPEC-71: Using Unicode Encoding to Bypass Validation Logic
- CAPEC-72: URL Encoding
- CAPEC-78: Using Escaped Slashes in Alternate Encoding
- CAPEC-80: Using UTF-8 Encoding to Bypass Validation Logic
Frequently asked questions
Common questions about CWE-172.
- What is CWE-172?
- The product does not properly encode or decode the data, resulting in unexpected values.
- What CVEs are caused by CWE-172?
- 9 recorded CVEs are attributed to CWE-172, including CVE-2019-10160, CVE-2025-12758, CVE-2025-27110.
- How do you prevent CWE-172?
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- What are the consequences of CWE-172?
- Exploiting CWE-172 can lead to: Unexpected State.
- Is CWE-172 actively exploited?
- 9 recorded CVEs are caused by CWE-172; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-172) (opens in a new tab)
- CWE-172 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-172
Get alerted the moment a new CWE-172 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.