Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-138 (对特殊元素的转义处理不恰当) — Vulnerability Class 12

12 vulnerabilities classified as CWE-138 (对特殊元素的转义处理不恰当). AI Chinese analysis included.

CWE-138 represents a critical input validation weakness where software fails to properly sanitize special characters or syntactic markers before passing them to a downstream component. This flaw allows attackers to inject malicious payloads that exploit the interpretation logic of the receiving system, potentially leading to severe outcomes such as command injection, cross-site scripting, or SQL injection. By treating user-controlled data as executable code or structural syntax rather than plain text, the application inadvertently executes unintended commands or alters data structures. Developers can prevent this vulnerability by implementing rigorous input validation, strictly whitelisting acceptable characters, and employing context-aware encoding or escaping techniques. Additionally, using parameterized queries and safe APIs ensures that special elements are treated as data, effectively neutralizing their potential to act as control elements within the downstream environment.

MITRE CWE Description
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component. Most languages and protocols have their own special elements such as characters and reserved words. These special elements can carry control implications. If product does not prevent external control or influence over the inclusion of such special elements, the control flow of the program may be altered from what was intended. For example, both Unix and Windows interpret the symbol < ("less than") as meaning "read input from a file".
Common Consequences (1)
Confidentiality, Integrity, Availability, OtherExecute Unauthorized Code or Commands, Alter Execution Logic, DoS: Crash, Exit, or Restart
Mitigations (5)
ImplementationDevelopers should anticipate that special elements (e.g. delimiters, symbols) will be injected into input vectors of their product. One defense is to create an allowlist (e.g. a regular expression) that defines valid input according to the requirements specifications. Strictly filter any input that does not match against the allowlist. Properly encode your output, and quote any elements that have …
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
ImplementationUse and specify an appropriate output encoding to ensure that the special elements are well-defined. A normal byte sequence in one encoding could be a special element in another.
ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
ImplementationWhile it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or whit…
Examples (2)
The following code takes untrusted input and uses a regular expression to filter "../" from the input. It then appends this result to the /home/user/ directory and attempts to read the file in the final resulting path.
my $Username = GetUntrustedInput(); $Username =~ s/\.\.\///; my $filename = "/home/user/" . $Username; ReadAndSendFile($filename);
Bad · Perl
../../../etc/passwd
Attack
The following example assigns some character values to a list of characters and prints them each individually, and then as a string. The third character value is intended to be an integer taken from user input and converted to an int. The first print statement will print each character separated by a space.
char *foo; foo=malloc(sizeof(char)*5); foo[0]='a'; foo[1]='a'; foo[2]=fgetc(stdin); foo[3]='c'; foo[4]='\0'; printf("%c %c %c %c %c \n",foo[0],foo[1],foo[2],foo[3],foo[4]); printf("%s\n",foo);
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2026-26129 M365 Copilot Information Disclosure Vulnerability — Microsoft 365 Copilot's Business Chat 7.5 High2026-05-07
CVE-2026-32178 .NET Spoofing Vulnerability — .NET 10.0 7.5 High2026-04-14
CVE-2026-20009 Cisco Secure Firewall Adaptive Security Appliance SSH Partial Private Key Authentication Bypass Vulnerability — Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 5.3 Medium2026-03-04
CVE-2025-48939 tarteaucitron.js vulnerable to DOM Clobbering via document.currentScript — tarteaucitron.js 4.2 Medium2025-07-03
CVE-2025-5878 ESAPI esapi-java-legacy SQL Injection Defense Encoder.encodeForSQL special element — esapi-java-legacy 7.3 High2025-06-29
CVE-2024-51500 Failure to check for packets from the broadcast address allows potential DDoS amplification attack in Meshtastic firmware — firmware 5.3 Medium2024-11-04
CVE-2024-38133 Windows Kernel Elevation of Privilege Vulnerability — Windows 10 Version 1809 7.8 High2024-08-13
CVE-2023-42117 Exim Improper Neutralization of Special Elements Remote Code Execution Vulnerability — Exim 9.8 -2024-05-03
CVE-2023-22288 Email HTML Injection — Checkmk 6.8 Medium2023-03-20
CVE-2022-2429 Ultimate SMS Notifications for WooCommerce <= 1.4.1 - CSV Injection — Ultimate SMS Notifications for WooCommerce 6.5 Medium2022-09-06
CVE-2022-0024 PAN-OS: Improper Neutralization Vulnerability Leads to Unintended Program Execution During Configuration Commit — PAN-OS 7.2 High2022-05-11
CVE-2016-0750 Infinispan hotrod java客户端安全漏洞 — Infinispan 8.8 -2018-09-11

Vulnerabilities classified as CWE-138 (对特殊元素的转义处理不恰当) represent 12 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.