Base weakness

Draft

CWE-184: Incomplete List of Disallowed Inputs

Also known as: Denylist / Deny List, Blocklist / Block List, Blacklist / Black List

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

Recorded CVEs

With this primary weakness

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Base

Abstraction

MITRE classification

Overview

CWE-184 (Incomplete List of Disallowed Inputs) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.

Illustrative examples

Real CVEs that MITRE cites as examples of this weakness.

CVE-2024-6091 — Chain: AI agent platform does not restrict pathnames containing internal "/./" sequences (CWE-55), leading to an incomplete denylist (CWE-184) that does not prevent OS command injection (CWE-78)
CVE-2024-4315 — Chain: API for text generation using Large Language Models (LLMs) does not include the "\" Windows folder separator in its denylist (CWE-184) when attempting to prevent Local File Inclusion via path traversal (CWE-22), allowing deletion of arbitrary files on Windows systems.
CVE-2024-44335 — Chain: filter only checks for some shell-injection characters (CWE-184), enabling OS command injection (CWE-78)
CVE-2008-2309 — product uses a denylist to identify potentially dangerous content, allowing attacker to bypass a warning
CVE-2005-2782 — PHP remote file inclusion in web application that filters "http" and "https" URLs, but not "ftp".
CVE-2004-0542 — Programming language does not filter certain shell metacharacters in Windows environment.
CVE-2004-0595 — XSS filter doesn't filter null characters before looking for dangerous tags, which are ignored by web browsers. MIE and validate-before-cleanse.
CVE-2005-3287 — Web-based mail product doesn't restrict dangerous extensions such as ASPX on a web server, even though others are prohibited.
CVE-2004-2351 — Resultant XSS when only and are checked.
CVE-2005-2959 — Privileged program does not clear sensitive environment variables that are used by bash. Overlaps multiple interpretation error.
CVE-2005-1824 — SQL injection protection scheme does not quote the "\" special character.
CVE-2005-2184 — Detection of risky filename extensions prevents users from automatically executing .EXE files, but .LNK is accepted, allowing resultant Windows symbolic link.
CVE-2007-1343 — Product uses list of protected variables, but accidentally omits one dangerous variable, allowing external modification
CVE-2007-5727 — Chain: product only removes SCRIPT tags (CWE-184), enabling XSS (CWE-79)
CVE-2006-4308 — Chain: product only checks for use of "javascript:" tag (CWE-184), allowing XSS (CWE-79) using other tags
CVE-2007-3572 — Chain: OS command injection (CWE-78) enabled by using an unexpected character that is not explicitly disallowed (CWE-184)
CVE-2002-0661 — "\" not in list of disallowed values for web server, allowing path traversal attacks when the server is run on Windows and other OSes.

CWE-184: Incomplete List of Disallowed Inputs

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

How to detect it

Black Box

Code examples

Illustrative examples

Terminology & mappings

Alternate terms

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-184?

What CVEs are caused by CWE-184?

How do you prevent CWE-184?

How is CWE-184 detected?

What are the consequences of CWE-184?

Is CWE-184 actively exploited?

References

Stay ahead of CWE-184

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

How to detect it

Black Box

Code examples

Illustrative examples

Related weaknesses

Parent

Child

Peer

Can precede

Related

Terminology & mappings

Alternate terms

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-184?

What CVEs are caused by CWE-184?

How do you prevent CWE-184?

How is CWE-184 detected?

What are the consequences of CWE-184?

Is CWE-184 actively exploited?

References

Stay ahead of CWE-184