The product performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses.

What CVEs are caused by CWE-187?

5 recorded CVEs are attributed to CWE-187, including CVE-2026-35031, CVE-2022-31802, CVE-2024-39742.

How do you prevent CWE-187?

Thoroughly test the comparison scheme before deploying code into production. Perform positive testing as well as negative testing.

What are the consequences of CWE-187?

Exploiting CWE-187 can lead to: Alter Execution Logic, Bypass Protection Mechanism.

Is CWE-187 actively exploited?

5 recorded CVEs are caused by CWE-187; none are currently in CISA's KEV catalog of actively exploited flaws.

CWE-187: Partial String Comparison

CVE-2025-23384

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

This example defines a fixed username and password. The AuthenticateUser() function is intended to accept a username and a password from an untrusted user, and check to ensure that it matches the username and password. If the username and password match, AuthenticateUser() is intended to indicate that authentication succeeded.

Vulnerable example

/* Ignore CWE-259 (hard-coded password) and CWE-309 (use of password system for authentication) for this example. */

Attack input

plaintext

CWE-187: Partial String Comparison

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-187?

What CVEs are caused by CWE-187?

How do you prevent CWE-187?

What are the consequences of CWE-187?

Is CWE-187 actively exploited?

References

Stay ahead of CWE-187

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

Code examples

Illustrative examples

Related weaknesses

Parent

Peer

Related

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-187?

What CVEs are caused by CWE-187?

How do you prevent CWE-187?

What are the consequences of CWE-187?

Is CWE-187 actively exploited?

References

Stay ahead of CWE-187