CWE-138: Improper Neutralization of Special Elements

ClassDraft

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.

View on MITRE
Back to CWE Lookup

Extended Description

Most languages and protocols have their own special elements such as characters and reserved words. These special elements can carry control implications. If product does not prevent external control or influence over the inclusion of such special elements, the control flow of the program may be altered from what was intended. For example, both Unix and Windows interpret the symbol < ("less than") as meaning "read input from a file".

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms

Frequently Asked Questions

What is CWE-138: Improper Neutralization of Special Elements?+

CWE-138: Improper Neutralization of Special Elements is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component. Most languages and protocols have their own special elements such as characters and reserved words. These special elements can carry control implications. If product does not prevent external control or influence over the inclusion of such special elements, the control flow of the program may be altered from what was intended. For example, both Unix and Windows interpret the symbol < ("less than") as meaning "read input from a file".

What are the security consequences of Improper Neutralization of Special Elements?+

If exploited, CWE-138 (Improper Neutralization of Special Elements) it can compromise Confidentiality, Integrity, Availability and Other, leading to outcomes such as Execute Unauthorized Code or Commands, Alter Execution Logic and DoS: Crash, Exit, or Restart.

How do you prevent or mitigate Improper Neutralization of Special Elements?+

Recommended mitigations for CWE-138 include: Developers should anticipate that special elements (e.g. delimiters, symbols) will be injected into input vectors of their product. One defense is to create an allowlist (e.g. a regular expression) that defines valid input according to the requirements specifications. Strictly filter any input that does not match against the allowlist. Properly encode your output, and quote any elements that have special meaning to the component with which you are communicating. Use and specify an appropriate output encoding to ensure that the special elements are well-defined. A normal byte sequence in one encoding could be a special element in another.

Which programming languages are affected by Improper Neutralization of Special Elements?+

CWE-138 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Improper Neutralization of Special Elements?+

MITRE documents real CVEs mapped to CWE-138, including CVE-2001-0677, CVE-2000-0703, CVE-2003-0020 and CVE-2003-0083. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-138 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More