The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

What CVEs are caused by CWE-204?

146 recorded CVEs are attributed to CWE-204, including CVE-2018-25350, CVE-2025-5485, CVE-2025-46390.

How do you prevent CWE-204?

Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.

What are the consequences of CWE-204?

Exploiting CWE-204 can lead to: Read Application Data, Bypass Protection Mechanism.

Is CWE-204 actively exploited?

146 recorded CVEs are caused by CWE-204; none are currently in CISA's KEV catalog of actively exploited flaws.

CWE-204: Observable Response Discrepancy

CVE-2025-3092

MB connect line: Observable response discrepancy in mbCONNECT24/mymbCONNECT24

CWE-204: Observable Response Discrepancy

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

The following code checks validity of the supplied username and password and notifies the user of a successful or failed login.

Vulnerable example

perl

my $username=param('username');

Resulting query

plaintext

"Login Failed - incorrect username or password"

CWE-204: Observable Response Discrepancy

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-204?

What CVEs are caused by CWE-204?

How do you prevent CWE-204?

What are the consequences of CWE-204?

Is CWE-204 actively exploited?

References

Stay ahead of CWE-204

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

Code examples

Illustrative examples

Related weaknesses

Parent

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-204?

What CVEs are caused by CWE-204?

How do you prevent CWE-204?

What are the consequences of CWE-204?

Is CWE-204 actively exploited?

References

Stay ahead of CWE-204