CWE WEAKNESSES / CWE-176
CWE-176
Improper Handling of Unicode Encoding
Variant
What it is
The product does not properly handle when an input contains Unicode encoding.
Impact
| Integrity | Unexpected State |
Mitigations
- [Architecture and Design] Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.
- [Implementation]Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.When performing input validation, consider all potentially relevant properties, including length, type of input, the full r
- [Implementation] Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
Real-world CVE examples
- CVE-2000-0884 — Server allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain Unicode encod
- CVE-2001-0709 — Server allows a remote attacker to obtain source code of ASP files via a URL encoded with Unicode.
- CVE-2001-0669 — Overlaps interaction error.
Related weaknesses
Test & detect
Browse all common weaknesses, check related exploited CVEs, or map to ATT&CK techniques.
Source: MITRE CWE. View on cwe.mitre.org →