The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
View on MITREAttackers may be able to find other malicious inputs that were not expected by the developer, allowing them to bypass the intended protection mechanism.
Do not rely exclusively on detecting disallowed inputs. There are too many variants to encode a character, especially when different environments are used, so there is a high likelihood of missing some variants. Only use detection of disallowed inputs as a mechanism for detecting suspicious activity. Ensure that you are using other protection mechanisms that only identify "good" input - such as lists of allowed inputs - and ensure that you are properly encoding your outputs.
Exploitation of a vulnerability with commonly-used manipulations might fail, but minor variations might succeed.
The following code attempts to stop XSS attacks by removing all occurences of "script" in an input string.
Because the code only checks for the lower-case "script" string, it can be easily defeated with upper-case script tags.
Chain: API for text generation using Large Language Models (LLMs) does not include the "\" Windows folder separator in its denylist (CWE-184) when attempting to prevent Local File Inclusion via path traversal (CWE-22), allowing deletion of arbitrary files on Windows systems.
View Detailsproduct uses a denylist to identify potentially dangerous content, allowing attacker to bypass a warning
View DetailsPHP remote file inclusion in web application that filters "http" and "https" URLs, but not "ftp".
View DetailsProgramming language does not filter certain shell metacharacters in Windows environment.
View DetailsXSS filter doesn't filter null characters before looking for dangerous tags, which are ignored by web browsers. MIE and validate-before-cleanse.
View DetailsWeb-based mail product doesn't restrict dangerous extensions such as ASPX on a web server, even though others are prohibited.
View DetailsPrivileged program does not clear sensitive environment variables that are used by bash. Overlaps multiple interpretation error.
View DetailsDetection of risky filename extensions prevents users from automatically executing .EXE files, but .LNK is accepted, allowing resultant Windows symbolic link.
View DetailsProduct uses list of protected variables, but accidentally omits one dangerous variable, allowing external modification
View DetailsChain: product only checks for use of "javascript:" tag (CWE-184), allowing XSS (CWE-79) using other tags
View DetailsChain: OS command injection (CWE-78) enabled by using an unexpected character that is not explicitly disallowed (CWE-184)
View Details"\" not in list of disallowed values for web server, allowing path traversal attacks when the server is run on Windows and other OSes.
View DetailsCWE-184: Incomplete List of Disallowed Inputs is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
If exploited, CWE-184 (Incomplete List of Disallowed Inputs) it can compromise Access Control, leading to outcomes such as Bypass Protection Mechanism.
Recommended mitigations for CWE-184 include: Do not rely exclusively on detecting disallowed inputs. There are too many variants to encode a character, especially when different environments are used, so there is a high likelihood of missing some variants. Only use detection of disallowed inputs as a mechanism for detecting suspicious activity. Ensure that you are using other protection mechanisms that only identify "good" input - such as lists of allowed inputs - and ensure that you are properly encoding your outputs.
CWE-184 can be detected using Black Box. Combining automated tooling with manual review typically yields the best coverage.
CWE-184 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
MITRE documents real CVEs mapped to CWE-184, including CVE-2024-4315, CVE-2008-2309, CVE-2005-2782, CVE-2004-0542 and CVE-2004-0595. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
A CWE (Common Weakness Enumeration) like CWE-184 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.