CWE-1284
AllowedImproper Validation of Specified Quantity in Input
Abstraction: Base · Status: Incomplete
The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.
494 vulnerabilities reference this CWE, most recent first.
GHSA-HH36-FJHW-7FJ3
Vulnerability from github – Published: 2025-11-23 18:30 – Updated: 2025-12-19 06:30The Secure Flag passed to Versal™ Adaptive SoC’s Arm® Trusted Firmware for Cortex®-A processors (TF-A) for Arm’s Power State Coordination Interface (PSCI) commands were incorrectly set to secure instead of using the processor’s actual security state. This would allow the PSCI requests to appear they were from processors in the secure state instead of the non-secure state.
{
"affected": [],
"aliases": [
"CVE-2025-54515"
],
"database_specific": {
"cwe_ids": [
"CWE-1284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-23T18:15:55Z",
"severity": "LOW"
},
"details": "The Secure Flag passed to Versal\u2122 Adaptive SoC\u2019s Arm\u00ae Trusted Firmware for Cortex\u00ae-A processors (TF-A) for Arm\u2019s Power State Coordination Interface (PSCI) commands were incorrectly set to secure instead of using the processor\u2019s actual security state. This would allow the PSCI requests to appear they were from processors in the secure state instead of the non-secure state.",
"id": "GHSA-hh36-fjhw-7fj3",
"modified": "2025-12-19T06:30:27Z",
"published": "2025-11-23T18:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54515"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-8020.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-HHX5-CRR2-8G8P
Vulnerability from github – Published: 2025-06-18 12:30 – Updated: 2025-11-13 21:31In the Linux kernel, the following vulnerability has been resolved:
ext4: avoid resizing to a partial cluster size
This patch avoids an attempt to resize the filesystem to an unaligned cluster boundary. An online resize to a size that is not integral to cluster size results in the last iteration attempting to grow the fs by a negative amount, which trips a BUG_ON and leaves the fs with a corrupted in-memory superblock.
{
"affected": [],
"aliases": [
"CVE-2022-50020"
],
"database_specific": {
"cwe_ids": [
"CWE-1284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-18T11:15:30Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid resizing to a partial cluster size\n\nThis patch avoids an attempt to resize the filesystem to an\nunaligned cluster boundary. An online resize to a size that is not\nintegral to cluster size results in the last iteration attempting to\ngrow the fs by a negative amount, which trips a BUG_ON and leaves the fs\nwith a corrupted in-memory superblock.",
"id": "GHSA-hhx5-crr2-8g8p",
"modified": "2025-11-13T21:31:17Z",
"published": "2025-06-18T12:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50020"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0082e99a9074ff88eff729c70c93454c8588d8e1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/53f62a4201be1cfc1e3c971e566888b182c3ffb0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/69cb8e9d8cd97cdf5e293b26d70a9dee3e35e6bd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/72b850a2a996f72541172e7cf686d54a2b29bcd8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7bdfb01fc5f6b3696728aeb527c50386e0ee09a1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/80288883294c5b4ed18bae0d8bd9c4a12f297074"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/952b3dc02baaae6a69c71c0aca23e06741182d9a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a6805b3dcf5cd41f2ae3a03dca43411135b99849"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HM8Q-7F3Q-5F36
Vulnerability from github – Published: 2026-05-09 00:45 – Updated: 2026-05-14 20:35Summary
Improper validation of the JWT NumericDate claims exp, nbf, and iat in hono/utils/jwt allows tokens with non-spec-compliant claim values to silently bypass time-based checks. This issue is not exploitable by an anonymous attacker; it only manifests when a malformed claim value reaches verify() — typically when the application itself issues such tokens, or when the signing key is otherwise under attacker control.
Details
The validation routine combined option, presence, and threshold checks in a single short-circuiting expression, so several classes of malformed values were silently skipped instead of rejected:
- A falsy numeric value short-circuited the presence check.
- A non-finite numeric value compared as never-after-now and never-expired.
- A non-numeric type produced NaN comparisons that evaluated false.
This deviates from RFC 7519 §4.1.4, which defines NumericDate as a finite JSON numeric value.
Impact
An actor able to issue tokens accepted by the application may craft tokens whose exp, nbf, or iat claims silently bypass time-based enforcement. This may lead to:
- Tokens treated as never expiring even with
expconfigured on the verifier. - Tokens with a future
nbfaccepted as currently valid. - Tokens with a future
iataccepted as legitimately issued.
Deployments using a well-formed token issuer and protecting the signing key are not affected.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "hono"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.12.18"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44459"
],
"database_specific": {
"cwe_ids": [
"CWE-1284"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-09T00:45:19Z",
"nvd_published_at": "2026-05-13T16:16:57Z",
"severity": "LOW"
},
"details": "### Summary\n\nImproper validation of the JWT NumericDate claims `exp`, `nbf`, and `iat` in `hono/utils/jwt` allows tokens with non-spec-compliant claim values to silently bypass time-based checks. This issue is not exploitable by an anonymous attacker; it only manifests when a malformed claim value reaches `verify()` \u2014 typically when the application itself issues such tokens, or when the signing key is otherwise under attacker control.\n\n### Details\n\nThe validation routine combined option, presence, and threshold checks in a single short-circuiting expression, so several classes of malformed values were silently skipped instead of rejected:\n\n- A falsy numeric value short-circuited the presence check.\n- A non-finite numeric value compared as never-after-now and never-expired.\n- A non-numeric type produced NaN comparisons that evaluated false.\n\nThis deviates from RFC 7519 \u00a74.1.4, which defines NumericDate as a finite JSON numeric value.\n\n### Impact\n\nAn actor able to issue tokens accepted by the application may craft tokens whose `exp`, `nbf`, or `iat` claims silently bypass time-based enforcement. This may lead to:\n\n- Tokens treated as never expiring even with `exp` configured on the verifier.\n- Tokens with a future `nbf` accepted as currently valid.\n- Tokens with a future `iat` accepted as legitimately issued.\n\nDeployments using a well-formed token issuer and protecting the signing key are not affected.",
"id": "GHSA-hm8q-7f3q-5f36",
"modified": "2026-05-14T20:35:44Z",
"published": "2026-05-09T00:45:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/honojs/hono/security/advisories/GHSA-hm8q-7f3q-5f36"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44459"
},
{
"type": "PACKAGE",
"url": "https://github.com/honojs/hono"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()"
}
GHSA-HQHQ-HP5X-XP3W
Vulnerability from github – Published: 2025-04-21 03:30 – Updated: 2025-04-21 21:55An issue was discovered in GoBGP before 3.35.0. pkg/packet/mrt/mrt.go does not properly check the input length, e.g., by ensuring that there are 12 bytes or 36 bytes (depending on the address family).
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c 3.35.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/osrg/gobgp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/osrg/gobgp/v3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.35.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-43970"
],
"database_specific": {
"cwe_ids": [
"CWE-1284"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-21T21:55:19Z",
"nvd_published_at": "2025-04-21T01:15:45Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in GoBGP before 3.35.0. pkg/packet/mrt/mrt.go does not properly check the input length, e.g., by ensuring that there are 12 bytes or 36 bytes (depending on the address family).",
"id": "GHSA-hqhq-hp5x-xp3w",
"modified": "2025-04-21T21:55:19Z",
"published": "2025-04-21T03:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43970"
},
{
"type": "WEB",
"url": "https://github.com/osrg/gobgp/commit/5153bafbe8dbe1a2f02a70bbf0365e98b80e47b0"
},
{
"type": "PACKAGE",
"url": "https://github.com/osrg/gobgp"
},
{
"type": "WEB",
"url": "https://github.com/osrg/gobgp/compare/v3.34.0...v3.35.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "GoBGP does not properly check the input length"
}
GHSA-HW4V-5X4H-C3XM
Vulnerability from github – Published: 2021-09-01 18:22 – Updated: 2024-10-24 21:18Impact
A bug in pallet-ethereum can cause invalid transactions to be included in the Ethereum block state in pallet-ethereum due to not validating the input data size. Any invalid transactions included this way have no possibility to alter the internal Ethereum or Substrate state. The transaction will appear to have be included, but is of no effect as it is rejected by the EVM engine. The impact is further limited by Substrate extrinsic size constraints.
Patches
Patches are applied in PR #465.
Workarounds
None.
References
Patch PR: https://github.com/paritytech/frontier/pull/465
For more information
If you have any questions or comments about this advisory: * Open an issue in the Frontier repo
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "pallet-ethereum"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-39193"
],
"database_specific": {
"cwe_ids": [
"CWE-1284",
"CWE-20"
],
"github_reviewed": true,
"github_reviewed_at": "2021-09-01T18:16:10Z",
"nvd_published_at": "2021-09-03T18:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nA bug in `pallet-ethereum` can cause invalid transactions to be included in the Ethereum block state in `pallet-ethereum` due to not validating the input data size. Any invalid transactions included this way have no possibility to alter the internal Ethereum or Substrate state. The transaction will appear to have be included, but is of no effect as it is rejected by the EVM engine. The impact is further limited by Substrate extrinsic size constraints.\n\n### Patches\n\nPatches are applied in PR #465.\n\n### Workarounds\n\nNone.\n\n### References\n\nPatch PR: https://github.com/paritytech/frontier/pull/465\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in the [Frontier repo](https://github.com/paritytech/frontier)\n",
"id": "GHSA-hw4v-5x4h-c3xm",
"modified": "2024-10-24T21:18:31Z",
"published": "2021-09-01T18:22:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/paritytech/frontier/security/advisories/GHSA-hw4v-5x4h-c3xm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39193"
},
{
"type": "WEB",
"url": "https://github.com/paritytech/frontier/pull/465"
},
{
"type": "WEB",
"url": "https://github.com/paritytech/frontier/pull/465/commits/8a2b890a2fb477d5fedd0e4335b00623832849ae"
},
{
"type": "WEB",
"url": "https://github.com/paritytech/frontier/commit/0b962f218f0cdd796dadfe26c3f09e68f7861b26"
},
{
"type": "WEB",
"url": "https://github.com/paritytech/frontier/commit/dd112e"
},
{
"type": "PACKAGE",
"url": "https://github.com/polkadot-evm/frontier"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Transaction validity oversight in pallet-ethereum"
}
GHSA-J399-WJQP-RM25
Vulnerability from github – Published: 2023-05-16 00:30 – Updated: 2024-04-04 04:10In ril, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07628556; Issue ID: ALPS07628556.
{
"affected": [],
"aliases": [
"CVE-2023-20707"
],
"database_specific": {
"cwe_ids": [
"CWE-1284",
"CWE-20"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-15T22:15:10Z",
"severity": "MODERATE"
},
"details": "In ril, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07628556; Issue ID: ALPS07628556.",
"id": "GHSA-j399-wjqp-rm25",
"modified": "2024-04-04T04:10:35Z",
"published": "2023-05-16T00:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20707"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/May-2023"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J52P-J9XV-W569
Vulnerability from github – Published: 2026-01-16 21:30 – Updated: 2026-01-16 21:30Sandboxie 5.49.7 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the container folder input field. Attackers can paste a large buffer of repeated characters into the Sandbox container folder setting to trigger an application crash.
{
"affected": [],
"aliases": [
"CVE-2021-47831"
],
"database_specific": {
"cwe_ids": [
"CWE-1284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-16T19:16:08Z",
"severity": "MODERATE"
},
"details": "Sandboxie 5.49.7 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the container folder input field. Attackers can paste a large buffer of repeated characters into the Sandbox container folder setting to trigger an application crash.",
"id": "GHSA-j52p-j9xv-w569",
"modified": "2026-01-16T21:30:36Z",
"published": "2026-01-16T21:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47831"
},
{
"type": "WEB",
"url": "https://sandboxie-plus.com"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/49844"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/sandboxie-denial-of-service"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-J5GX-4346-5FFR
Vulnerability from github – Published: 2022-12-19 21:30 – Updated: 2022-12-19 21:30In multiple locations, there is a possible display crash loop due to improper input validation. This could lead to local denial of service with system execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-238178261
{
"affected": [],
"aliases": [
"CVE-2022-20543"
],
"database_specific": {
"cwe_ids": [
"CWE-1284",
"CWE-20"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-16T16:15:00Z",
"severity": "LOW"
},
"details": "In multiple locations, there is a possible display crash loop due to improper input validation. This could lead to local denial of service with system execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-238178261",
"id": "GHSA-j5gx-4346-5ffr",
"modified": "2022-12-19T21:30:28Z",
"published": "2022-12-19T21:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20543"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2022-12-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-JF7Q-Q45C-4R4F
Vulnerability from github – Published: 2026-01-16 21:30 – Updated: 2026-01-16 21:30RarmaRadio 2.72.8 contains a denial of service vulnerability that allows attackers to crash the application by overflowing network configuration fields with large character buffers. Attackers can generate a 100,000 character buffer and paste it into multiple network settings fields to trigger application instability and potential crash.
{
"affected": [],
"aliases": [
"CVE-2021-47821"
],
"database_specific": {
"cwe_ids": [
"CWE-1284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-16T19:16:06Z",
"severity": "MODERATE"
},
"details": "RarmaRadio 2.72.8 contains a denial of service vulnerability that allows attackers to crash the application by overflowing network configuration fields with large character buffers. Attackers can generate a 100,000 character buffer and paste it into multiple network settings fields to trigger application instability and potential crash.",
"id": "GHSA-jf7q-q45c-4r4f",
"modified": "2026-01-16T21:30:36Z",
"published": "2026-01-16T21:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47821"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/49906"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/rarmaradio-denial-of-service"
},
{
"type": "WEB",
"url": "http://www.raimersoft.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-JFVC-65M7-7MHV
Vulnerability from github – Published: 2026-05-15 03:30 – Updated: 2026-05-15 03:30Insufficient parameter sanitization in TEE SOC Driver could allow an attacker to issue a malformed DRV_SOC_CMD_ID_SRIOV_CHECK_TA_COMPAT to cause incorrect shared memory mapping, potentially resulting in unexpected behavior.
{
"affected": [],
"aliases": [
"CVE-2025-66660"
],
"database_specific": {
"cwe_ids": [
"CWE-1284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-15T03:16:22Z",
"severity": "LOW"
},
"details": "Insufficient parameter sanitization in TEE SOC Driver could allow an attacker to issue a malformed DRV_SOC_CMD_ID_SRIOV_CHECK_TA_COMPAT to cause incorrect shared memory mapping, potentially resulting in unexpected behavior.",
"id": "GHSA-jfvc-65m7-7mhv",
"modified": "2026-05-15T03:30:37Z",
"published": "2026-05-15T03:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66660"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-6027.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
No CAPEC attack patterns related to this CWE.