Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-1389 — Vulnerability Class 2

2 vulnerabilities classified as CWE-1389. AI Chinese analysis included.

CWE-1389 represents a critical input validation weakness where software incorrectly interprets numeric strings by assuming a decimal base while ignoring implicit radix indicators. Attackers typically exploit this by prefixing inputs with "0" to trigger octal interpretation or "0x" for hexadecimal, causing the system to process values significantly different from the user’s intent. For instance, an IP address like "023" might be parsed as decimal 23 instead of octal 35, leading to unauthorized access or logic errors. To prevent such vulnerabilities, developers must explicitly specify the radix during parsing operations, ensuring consistent decimal interpretation regardless of leading characters. Implementing strict input sanitization and using safe parsing functions that require explicit base definitions effectively mitigates this risk, preserving data integrity and application security against deceptive numeric formatting.

MITRE CWE Description
The product parses numeric input assuming base 10 (decimal) values, but it does not account for inputs that use a different base number (radix). Frequently, a numeric input that begins with "0" is treated as octal, or "0x" causes it to be treated as hexadecimal, e.g. by the inet_addr() function. For example, "023" (octal) is 35 decimal, or "0x31" is 49 decimal. Other bases may be used as well. If the developer assumes decimal-only inputs, the code could produce incorrect numbers when the inputs are parsed using a different base. This can result in unexpected and/or dangerous behavior. For example, a "0127.0.0.1" IP address is parsed as octal due to the leading "0", whose numeric value would be the same as 87.0.0.1 (decimal), where the developer likely expected to use 127.0.0.1. The consequences vary depending on the surrounding code in which this weakness occurs, but they can include bypassing network-based access control using unexpected IP addresses or netmasks, or causing apparently-symbolic identifiers to be processed as if they are numbers. In web applications, this can enable bypassing of SSRF restrictions.
Common Consequences (2)
ConfidentialityRead Application Data
An attacker may use an unexpected numerical base to access private application resources.
IntegrityBypass Protection Mechanism, Alter Execution Logic
An attacker may use an unexpected numerical base to bypass or manipulate access control mechanisms.
Mitigations (3)
ImplementationIf only decimal-based values are expected in the application, conditional checks should be created in a way that prevent octal or hexadecimal strings from being checked. This can be achieved by converting any numerical string to an explicit base-10 integer prior to the conditional check, to prevent octal or hex values from ever being checked against the condition.
ImplementationIf various numerical bases do need to be supported, check for leading values indicating the non-decimal base you wish to support (such as 0x for hex) and convert the numeric strings to integers of the respective base. Reject any other alternative-base string that is not intentionally supported by the application.
ImplementationIf regular expressions are used to validate IP addresses, ensure that they are bounded using ^ and $ to prevent base-prepended IP addresses from being matched.
Examples (2)
The below demonstrative example uses an IP validator that splits up an IP address by octet, tests to ensure each octet can be casted into an integer, and then returns the original IP address if no exceptions are raised. This validated IP address is then tested using the "ping" command.
import subprocess def validate_ip(ip: str): split_ip = ip.split('.') if len(split_ip) > 4 or len(split_ip) == 0: raise ValueError("Invalid IP length") for octet in split_ip: try: int(octet, 10) except ValueError as e: raise ValueError(f"Cannot convert IP octet to int - {e}") # Returns original IP after ensuring no exceptions are raised return ip def run_ping(ip: str): validated = validate_ip(ip) # The ping command treats zero-prepended IP addresses as octal result = subprocess.call(["ping", validated]) print(result)
Bad · Python
This code uses a regular expression to validate an IP string prior to using it in a call to the "ping" command.
import subprocess import re def validate_ip_regex(ip: str): ip_validator = re.compile(r"((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}") if ip_validator.match(ip): return ip else: raise ValueError("IP address does not match valid pattern.") def run_ping_regex(ip: str): validated = validate_ip_regex(ip) # The ping command treats zero-prepended IP addresses as octal result = subprocess.call(["ping", validated]) print(result)
Bad · Python
CVE IDTitleCVSSSeverityPublished
CVE-2018-25242 One Search 1.1.0.0 Denial of Service — One Search 6.2 Medium2026-04-04
CVE-2024-26015 Fortinet FortiProxy 安全漏洞 — FortiProxy 3.1 Low2024-07-09

Vulnerabilities classified as CWE-1389 represent 2 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.