The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.
View on MITREMost languages and protocols have their own special elements such as characters and reserved words. These special elements can carry control implications. If product does not prevent external control or influence over the inclusion of such special elements, the control flow of the program may be altered from what was intended. For example, both Unix and Windows interpret the symbol < ("less than") as meaning "read input from a file".
Developers should anticipate that special elements (e.g. delimiters, symbols) will be injected into input vectors of their product. One defense is to create an allowlist (e.g. a regular expression) that defines valid input according to the requirements specifications. Strictly filter any input that does not match against the allowlist. Properly encode your output, and quote any elements that have special meaning to the component with which you are communicating.
Use and specify an appropriate output encoding to ensure that the special elements are well-defined. A normal byte sequence in one encoding could be a special element in another.
No detection method information available for this CWE.
Read arbitrary files from mail client by providing a special MIME header that is internally used to store pathnames for attachments.
View DetailsSetuid program does not cleanse special escape sequence before sending data to a mail program, causing the mail program to process those sequences.
View DetailsMulti-channel issue. Terminal escape sequences not filtered from log files.
View DetailsMulti-channel issue. Terminal escape sequences not filtered from log files.
View DetailsNo relationship information available for this CWE.
CWE-138: Improper Neutralization of Special Elements is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component. Most languages and protocols have their own special elements such as characters and reserved words. These special elements can carry control implications. If product does not prevent external control or influence over the inclusion of such special elements, the control flow of the program may be altered from what was intended. For example, both Unix and Windows interpret the symbol < ("less than") as meaning "read input from a file".
If exploited, CWE-138 (Improper Neutralization of Special Elements) it can compromise Confidentiality, Integrity, Availability and Other, leading to outcomes such as Execute Unauthorized Code or Commands, Alter Execution Logic and DoS: Crash, Exit, or Restart.
Recommended mitigations for CWE-138 include: Developers should anticipate that special elements (e.g. delimiters, symbols) will be injected into input vectors of their product. One defense is to create an allowlist (e.g. a regular expression) that defines valid input according to the requirements specifications. Strictly filter any input that does not match against the allowlist. Properly encode your output, and quote any elements that have special meaning to the component with which you are communicating. Use and specify an appropriate output encoding to ensure that the special elements are well-defined. A normal byte sequence in one encoding could be a special element in another.
CWE-138 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
MITRE documents real CVEs mapped to CWE-138, including CVE-2001-0677, CVE-2000-0703, CVE-2003-0020 and CVE-2003-0083. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
A CWE (Common Weakness Enumeration) like CWE-138 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.