The product does not handle or incorrectly handles when a value is not defined or supported for the associated parameter, field, or argument name.

What CVEs are caused by CWE-232?

8 recorded CVEs are attributed to CWE-232, including CVE-2025-20192, CVE-2025-40775, CVE-2023-2968.

What are the consequences of CWE-232?

Exploiting CWE-232 can lead to: Unexpected State.

Is CWE-232 actively exploited?

8 recorded CVEs are caused by CWE-232; none are currently in CISA's KEV catalog of actively exploited flaws.

CWE-232: Improper Handling of Undefined Values

CVE-2025-20314

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

In this example, an address parameter is read and trimmed of whitespace.

Vulnerable example

java

String address = request.getParameter("address");

If the value of the address parameter is null (undefined), the servlet will throw a NullPointerException when the trim() is attempted.

CWE-232: Improper Handling of Undefined Values

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-232?

What CVEs are caused by CWE-232?

What are the consequences of CWE-232?

Is CWE-232 actively exploited?

References

Stay ahead of CWE-232

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Code examples

Illustrative examples

Related weaknesses

Parent

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-232?

What CVEs are caused by CWE-232?

What are the consequences of CWE-232?

Is CWE-232 actively exploited?

References

Stay ahead of CWE-232