CWE-205: Observable Behavioral Discrepancy

CWE-205: Observable Behavioral Discrepancy is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product's behaviors indicate important differences that may be observed by unauthorized actors in a way that reveals (1) its internal state or decision process, or (2) differences from other products with equivalent functionality. Ideally, a product should provide as little information about its internal operations as possible. Otherwise, attackers could use knowledge of these internal operations to simplify or optimize their attack. In some cases, behavioral discrepancies can be used by attackers to form a side channel.

If exploited, CWE-205 (Observable Behavioral Discrepancy) it can compromise Confidentiality and Access Control, leading to outcomes such as Read Application Data and Bypass Protection Mechanism.

CWE-205 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

MITRE documents real CVEs mapped to CWE-205, including CVE-2002-0208 and CVE-2004-2252. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

A CWE (Common Weakness Enumeration) like CWE-205 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.