Log inLog in

Variant weakness

Draft

CWE-177: Improper Handling of URL Encoding (Hex Encoding)

The product does not properly handle when all or part of an input has been URL encoded.

Last updated May 1, 2026

9

Recorded CVEs

With this primary weakness

0

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Variant

Abstraction

MITRE classification

Overview

CWE-177 (Improper Handling of URL Encoding (Hex Encoding)) is a variant-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.

Real-world CVEs

9 recorded CVEs are caused by CWE-177 (Improper Handling of URL Encoding (Hex Encoding)). The highest-severity and most recent are shown first. 4 new CWE-177 CVEs have been recorded so far in 2026 (1 in 2025).

2026-03-04

CVE-2022-3854

Medium · CVSS 6.5 · EPSS 54th

2023-03-06

CVE-2026-6414

@fastify/static vulnerable to route guard bypass via encoded path separators

Medium · CVSS 5.9 · EPSS 4th

2026-04-16

CVE-2022-27780

Medium · CVSS 5.3 · EPSS 40th

2022-06-01

CVE-2025-11990

Improper Handling of URL Encoding (Hex Encoding) in GitLab

Low · CVSS 3.1 · EPSS 5th

2025-11-15

CVE-2024-48866

Low · CVSS 2.3 · EPSS 71th

Common consequences

What can happen when CWE-177 is exploited.

Unexpected State

Affects: Integrity

How it happens

When it is introduced

Typically introduced during these phases of the software lifecycle.

Implementation

How to prevent it

Practical mitigations for CWE-177, grouped by where in the lifecycle they apply.

Architecture and Design

Input Validation

Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.

Implementation

Input Validation

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.

When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."

Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

Implementation

Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

Illustrative examples

Real CVEs that MITRE cites as examples of this weakness.

CVE-2000-0900 — Hex-encoded path traversal variants - "%2e%2e", "%2e%2e%2f", "%5c%2e%2e"
CVE-2005-2256 — Hex-encoded path traversal variants - "%2e%2e", "%2e%2e%2f", "%5c%2e%2e"
CVE-2004-2121 — Hex-encoded path traversal variants - "%2e%2e", "%2e%2e%2f", "%5c%2e%2e"
CVE-2004-0280 — "%20" (encoded space)
CVE-2003-0424 — "%20" (encoded space)
CVE-2001-0693 — "%20" (encoded space)
CVE-2001-0778 — "%20" (encoded space)
CVE-2002-1831 — Crash via hex-encoded space "%20".
CVE-2000-0671 — "%00" (encoded null)
CVE-2004-0189 — "%00" (encoded null)
CVE-2002-1291 — "%00" (encoded null)
CVE-2002-1031 — "%00" (encoded null)
CVE-2001-1140 — "%00" (encoded null)
CVE-2004-0760 — "%00" (encoded null)
CVE-2002-1025 — "%00" (encoded null)
CVE-2002-1213 — "%2f" (encoded slash)
CVE-2004-0072 — "%5c" (encoded backslash) and "%2e" (encoded dot) sequences
CVE-2004-0847 — web framework for .NET allows remote attackers to bypass authentication for .aspx files in restricted directories via a request containing a (1) "\" (backslash) or (2) "%5C" (encoded backslash)
CVE-2002-1575 — "%0a" (overlaps CRLF)

Terminology & mappings

Mapped taxonomies

PLOVER: URL Encoding (Hex Encoding)

Attack patterns

CAPEC attack patterns that exploit this weakness.

Frequently asked questions

Common questions about CWE-177.

What is CWE-177?

The product does not properly handle when all or part of an input has been URL encoded.

What CVEs are caused by CWE-177?

9 recorded CVEs are attributed to CWE-177, including CVE-2026-22037, CVE-2026-22031, CVE-2026-29045.

How do you prevent CWE-177?

Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.

What are the consequences of CWE-177?

Exploiting CWE-177 can lead to: Unexpected State.

Is CWE-177 actively exploited?

9 recorded CVEs are caused by CWE-177; none are currently in CISA's KEV catalog of actively exploited flaws.

References

Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.

Stay ahead of CWE-177

Get alerted the moment a new CWE-177 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.

Start free See pricing

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

Illustrative examples

Related weaknesses

Parent

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-177?

What CVEs are caused by CWE-177?

How do you prevent CWE-177?

What are the consequences of CWE-177?

Is CWE-177 actively exploited?

References

Stay ahead of CWE-177