CWE-230: Improper Handling of Missing Values
The product does not handle or incorrectly handles when a parameter, field, or argument name is specified, but the associated value is missing, i.e. it is empty, blank, or null.
Last updated
Overview
CWE-230 (Improper Handling of Missing Values) is a variant-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Real-world CVEs
12 recorded CVEs are caused by CWE-230 (Improper Handling of Missing Values). The highest-severity and most recent are shown first. 4 new CWE-230 CVEs have been recorded so far in 2026 (1 in 2025).
- CVE-2024-11024
AppPresser – Mobile App Framework <= 4.4.6 - Unauthenticated Privilege Escalation via Password Reset
Critical · CVSS 9.8 · EPSS 48th2024-11-26 - CVE-2024-10508
RegistrationMagic – User Registration Plugin with Custom Registration Forms <= 6.0.2.6 - Unauthenticated Privilege Escalation via Password Recovery
Critical · CVSS 9.8 · EPSS 71th2024-11-09 - CVE-2026-20086High · CVSS 8.6 · EPSS 28th2026-03-25
- CVE-2024-0048High · CVSS 8.4 · EPSS 3th2024-03-11
- CVE-2024-9781
Improper Handling of Missing Values in Wireshark
High · CVSS 7.8 · EPSS 23th2024-10-10 - CVE-2024-0208
Improper Handling of Missing Values in Wireshark
High · CVSS 7.8 · EPSS 76th2024-01-03 - CVE-2026-25659
Ericsson Packet Core Gateway (PCG) - Improper handling of missing values Vulnerability
High · CVSS 7.1 · EPSS 6th2026-06-05 - CVE-2026-25658
Ericsson Packet Core Gateway (PCG) - Improper handling of missing values Vulnerability
High · CVSS 7.1 · EPSS 6th2026-06-05 - CVE-2026-1461
Simple Membership <= 4.7.0 - Unauthenticated Improper Handling of Missing Values
Medium · CVSS 6.5 · EPSS 13th2026-02-19 - CVE-2025-23225
IBM MQ denial of service
Medium · CVSS 6.5 · EPSS 33th2025-02-28 - CVE-2024-6237
389-ds-base: unauthenticated user can trigger a dos by sending a specific extended search request
Medium · CVSS 6.5 · EPSS 56th2024-07-09 - CVE-2023-1697Medium · CVSS 6.5 · EPSS 24th2023-04-17
Common consequences
What can happen when CWE-230 is exploited.
Unexpected State
Affects: Integrity
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
This Android application has registered to handle a URL when sent an intent:
The application assumes the URL will always be included in the intent. When the URL is not present, the call to getStringExtra() will return null, thus causing a null pointer exception when length() is called.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2002-0422 — Blank Host header triggers resultant infoleak.
- CVE-2000-1006 — Blank "charset" attribute in MIME header triggers crash.
- CVE-2004-1504 — Blank parameter causes external error infoleak.
- CVE-2005-2053 — Blank parameter causes external error infoleak.
Terminology & mappings
Mapped taxonomies
- PLOVER: Missing Value Error
- The CERT Oracle Secure Coding Standard for Java (2011): Do not catch NullPointerException or any of its ancestors (ERR08-J)
Frequently asked questions
Common questions about CWE-230.
- What is CWE-230?
- The product does not handle or incorrectly handles when a parameter, field, or argument name is specified, but the associated value is missing, i.e. it is empty, blank, or null.
- What CVEs are caused by CWE-230?
- 12 recorded CVEs are attributed to CWE-230, including CVE-2024-11024, CVE-2024-10508, CVE-2026-20086.
- What are the consequences of CWE-230?
- Exploiting CWE-230 can lead to: Unexpected State.
- Is CWE-230 actively exploited?
- 12 recorded CVEs are caused by CWE-230; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-230) (opens in a new tab)
- CWE-230 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-230
Get alerted the moment a new CWE-230 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.