Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-173 (候选编码方案处理不恰当) — Vulnerability Class 3

3 vulnerabilities classified as CWE-173 (候选编码方案处理不恰当). AI Chinese analysis included.

CWE-173 represents a critical input validation weakness where software fails to properly normalize or interpret alternate character encodings before processing. Attackers typically exploit this by injecting malicious payloads using alternative encodings, such as Unicode or UTF-7, which bypass standard security filters that only check for the primary encoding format. This discrepancy allows attackers to execute cross-site scripting, SQL injection, or command injection attacks that would otherwise be blocked. To mitigate this risk, developers must implement robust input normalization strategies that convert all incoming data to a single, canonical encoding before validation. Additionally, applying strict allow-lists for acceptable characters and ensuring that security controls operate on the normalized data rather than the raw input are essential practices. By standardizing encoding handling early in the processing pipeline, organizations can effectively neutralize encoding-based evasion techniques and secure their applications against these sophisticated bypass methods.

MITRE CWE Description
The product does not properly handle when an input uses an alternate encoding that is valid for the control sphere to which the input is being sent.
Common Consequences (1)
Access ControlBypass Protection Mechanism
Mitigations (4)
Architecture and DesignAvoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
ImplementationUse and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are i…
ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
CVE IDTitleCVSSSeverityPublished
CVE-2024-54158 JetBrains YouTrack 安全漏洞 — YouTrack 3.5 Low2024-12-04
CVE-2023-26303 markdown-it-py crash on null assertions — markdown-it-py 3.3 Low2023-02-22
CVE-2023-26302 markdown-it-py CLI crash on invalid UTF-8 characters — markdown-it-py 3.3 Low2023-02-22

Vulnerabilities classified as CWE-173 (候选编码方案处理不恰当) represent 3 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.