Base weakness

Draft

CWE-182: Collapse of Data into Unsafe Value

The product filters data in a way that causes it to be reduced or "collapsed" into an unsafe value that violates an expected security property.

Last updated May 1, 2026

1

Recorded CVEs

With this primary weakness

0

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Base

Abstraction

MITRE classification

Overview

CWE-182 (Collapse of Data into Unsafe Value) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.

Real-world CVEs

1 recorded CVEs are caused by CWE-182 (Collapse of Data into Unsafe Value). The highest-severity and most recent are shown first.

CVE-2020-7921
Administrative action may disable enforcement of per-user IP whitelisting
Medium · CVSS 4.6 · EPSS 40th
2020-05-06

Common consequences

What can happen when CWE-182 is exploited.

Bypass Protection Mechanism

Affects: Access Control

How it happens

When it is introduced

Typically introduced during these phases of the software lifecycle.

Implementation

How to prevent it

Practical mitigations for CWE-182, grouped by where in the lifecycle they apply.

Architecture and Design

Input Validation

Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.

Implementation

Input Validation

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.

When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."

Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

Implementation

Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

Canonicalize the name to match that of the file system's representation of the name. This can sometimes be achieved with an available API (e.g. in Win32 the GetFullPathName function).

How to detect it

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Effectiveness: High

Illustrative examples

Real CVEs that MITRE cites as examples of this weakness.

CVE-2004-0815 — "/.////" in pathname collapses to absolute path.
CVE-2005-3123 — "/.//..//////././" is collapsed into "/.././" after ".." and "//" sequences are removed.
CVE-2002-0325 — ".../...//" collapsed to "..." due to removal of "./" in web server.
CVE-2002-0784 — chain: HTTP server protects against ".." but allows "." variants such as "////./../.../". If the server removes "/.." sequences, the result would collapse into an unsafe value "////../" (CWE-182).
CVE-2005-2169 — MFV. Regular expression intended to protect against directory traversal reduces ".../...//" to "../".
CVE-2001-1157 — XSS protection mechanism strips a sequence that is nested in another sequence.

Terminology & mappings

Mapped taxonomies

PLOVER: Collapse of Data into Unsafe Value
The CERT Oracle Secure Coding Standard for Java (2011): Eliminate noncharacter code points before validation (IDS11-J)

Frequently asked questions

Common questions about CWE-182.

What is CWE-182?

The product filters data in a way that causes it to be reduced or "collapsed" into an unsafe value that violates an expected security property.

What CVEs are caused by CWE-182?

1 recorded CVEs are attributed to CWE-182, including CVE-2020-7921.

How do you prevent CWE-182?

Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.

How is CWE-182 detected?

Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

What are the consequences of CWE-182?

Exploiting CWE-182 can lead to: Bypass Protection Mechanism.

Is CWE-182 actively exploited?

1 recorded CVEs are caused by CWE-182; none are currently in CISA's KEV catalog of actively exploited flaws.

References

Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.

Stay ahead of CWE-182

Get alerted the moment a new CWE-182 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.

Start free See pricing

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

How to detect it

Automated Static Analysis

Illustrative examples

Related weaknesses

Parent

Can precede

Related

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-182?

What CVEs are caused by CWE-182?

How do you prevent CWE-182?

How is CWE-182 detected?

What are the consequences of CWE-182?

Is CWE-182 actively exploited?

References

Stay ahead of CWE-182