Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-180 (不正确的行为次序:规范化之前验证) — Vulnerability Class 10

10 vulnerabilities classified as CWE-180 (不正确的行为次序:规范化之前验证). AI Chinese analysis included.

CWE-180 represents a critical logic flaw where software validates input data before normalizing or canonicalizing it. This sequencing error allows attackers to bypass security controls by submitting specially crafted inputs that appear valid in their raw form but transform into malicious payloads after canonicalization. For instance, an attacker might use encoded characters that pass initial validation checks but resolve to dangerous sequences, such as SQL injection strings or path traversal sequences, once the system processes them. To mitigate this vulnerability, developers must strictly enforce a canonicalization-first approach. By normalizing input data before applying any validation rules, applications ensure that security checks operate on the final, resolved form of the data. This practice effectively neutralizes evasion techniques that rely on encoding or transformation, ensuring that all potential threats are detected and blocked consistently.

MITRE CWE Description
The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step. This can be used by an attacker to bypass the validation and launch attacks that expose weaknesses that would otherwise be prevented, such as injection.
Common Consequences (1)
Access ControlBypass Protection Mechanism
Mitigations (1)
ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
Examples (1)
The following code attempts to validate a given input path by checking it against an allowlist and then return the canonical path. In this specific case, the path is considered valid if it starts with the string "/safe_dir/".
String path = getInputPath(); if (path.startsWith("/safe_dir/")) { File f = new File(path); return f.getCanonicalPath(); }
Bad · Java
String path = getInputPath(); File f = new File(path); if (f.getCanonicalPath().startsWith("/safe_dir/")) { return f.getCanonicalPath(); }
Good · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-39409 Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses — hono 9.1AICriticalAI2026-04-08
CVE-2026-39364 Vite has a `server.fs.deny` bypass with queries — vite 7.5 -2026-04-07
CVE-2026-34786 Rack: Rack::Static header_rules bypass via URL-encoded paths — rack 5.3 Medium2026-04-02
CVE-2026-34475 Varnish Cache 安全漏洞 — Varnish Cache 5.4 Medium2026-03-27
CVE-2026-24895 FrankenPHP affected by Path Confusion via Unicode casing in CGI path splitting allows execution of arbitrary files — frankenphp 8.2AIHighAI2026-02-12
CVE-2025-33194 NVIDIA DGX Spark 安全漏洞 — DGX Spark 5.7 Medium2025-11-25
CVE-2025-43716 Ivanti LANDesk Management Gateway 安全漏洞 — LANDesk Management Suite 5.8 Medium2025-04-23
CVE-2024-28607 IP Util Functions Library 安全漏洞 — IP-Utils 2.9 Low2025-03-11
CVE-2022-26137 Atlassian Crowd和Atlassian Jira 访问控制错误漏洞 — Bamboo Server 8.8 -2022-07-20
CVE-2022-26136 Atlassian Crowd和Atlassian Jira 授权问题漏洞 — Bamboo Server 8.8 -2022-07-20

Vulnerabilities classified as CWE-180 (不正确的行为次序:规范化之前验证) represent 10 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.