Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-177 (URL编码处理不恰当(Hex编码)) — Vulnerability Class 9

9 vulnerabilities classified as CWE-177 (URL编码处理不恰当(Hex编码)). AI Chinese analysis included.

CWE-177 represents a critical input validation weakness where software fails to correctly process URL-encoded data, often leading to security vulnerabilities. Attackers typically exploit this by crafting malicious payloads that bypass initial filtering mechanisms through double-encoding or partial encoding, allowing them to inject harmful scripts or execute unauthorized commands. This evasion technique tricks the application into treating encoded characters as safe literals until they are processed later in the pipeline. To mitigate this risk, developers must implement robust input validation strategies that decode all incoming data early in the request lifecycle. By normalizing inputs before any security checks, applications can consistently identify and reject malicious patterns. Additionally, employing strict allow-lists for expected characters and utilizing parameterized queries further reduces the attack surface, ensuring that encoded inputs are handled predictably and securely throughout the entire processing chain.

MITRE CWE Description
The product does not properly handle when all or part of an input has been URL encoded.
Common Consequences (1)
IntegrityUnexpected State
Mitigations (3)
Architecture and DesignAvoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
CVE IDTitleCVSSSeverityPublished
CVE-2026-6414 @fastify/static vulnerable to route guard bypass via encoded path separators — @fastify/static 5.9 Medium2026-04-16
CVE-2026-29045 Hono: Arbitrary file access via serveStatic vulnerability — hono 7.5 High2026-03-04
CVE-2026-22037 @fastify/express vulnerable to Improper Handling of URL Encoding (Hex Encoding) — fastify-express 8.4 High2026-01-19
CVE-2026-22031 Fastify Middie Middleware Path Bypass — middie 8.4 High2026-01-19
CVE-2025-11990 Improper Handling of URL Encoding (Hex Encoding) in GitLab — GitLab 3.1 Low2025-11-15
CVE-2024-48866 QTS, QuTS hero — QTS 7.5 -2024-12-06
CVE-2022-3854 Red Hat Ceph 安全漏洞 — ceph 6.5 -2023-03-06
CVE-2022-27780 curl 代码问题漏洞 — https://github.com/curl/curl 7.5 -2022-06-01
CVE-2018-3718 serve 安全漏洞 — serve node module 7.5 -2018-06-07

Vulnerabilities classified as CWE-177 (URL编码处理不恰当(Hex编码)) represent 9 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.