Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-551 (不正确的行为次序:在解析与净化处理之前进行授权) — Vulnerability Class 6

6 vulnerabilities classified as CWE-551 (不正确的行为次序:在解析与净化处理之前进行授权). AI Chinese analysis included.

CWE-551 represents a critical logic flaw where an application performs authorization checks before fully parsing and canonicalizing user input, such as URLs. This sequence error allows attackers to bypass security controls by exploiting ambiguities in path interpretation. For example, if a system checks permissions for “/ProtectedDir” but fails to normalize “/./ProtectedDir” into the same canonical form, an attacker may gain unauthorized access to restricted resources. Exploitation typically involves submitting malformed or redundant path segments that the authorization module ignores but the file system resolves correctly. Developers prevent this by strictly enforcing a canonicalization step prior to any security validation. By normalizing all inputs to a standard format first, applications ensure that authorization decisions are based on the true, resolved resource path, thereby closing the gap between logical access control and actual file system behavior.

MITRE CWE Description
If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection. For instance, the character strings /./ and / both mean current directory. If /SomeDirectory is a protected directory and an attacker requests /./SomeDirectory, the attacker may be able to gain access to the resource if /./ is not converted to / before the authorization check is performed.
Common Consequences (1)
Access ControlBypass Protection Mechanism
Mitigations (1)
Architecture and DesignURL Inputs should be decoded and canonicalized to the application's current internal representation before being validated and processed for authorization. Make sure that your application does not decode the same input twice. Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have been checked.
CVE IDTitleCVSSSeverityPublished
CVE-2026-4636 Keycloak: keycloak: uma policy bypass allows authenticated users to gain unauthorized access to victim-owned resources. — Red Hat build of Keycloak 26.2 8.1 High2026-04-02
CVE-2016-20030 ZKTeco ZKBioSecurity 3.0 User Enumeration via authLoginAction — ZKTeco ZKBioSecurity 9.8 Critical2026-03-15
CVE-2026-0707 Keycloak: keycloak authorization header parsing leading to potential security control bypass — Red Hat build of Keycloak 26.4 5.3 Medium2026-01-08
CVE-2023-23924 URI validation failure on SVG parsing in Dompdf — dompdf 10.0 Critical2023-01-31
CVE-2021-32779 Incorrectly handling of URI '#fragment' element as part of the path element — envoy 8.6 High2021-08-24
CVE-2021-32777 Incorrect concatenation of multiple value request headers in ext-authz extension — envoy 8.6 High2021-08-24

Vulnerabilities classified as CWE-551 (不正确的行为次序:在解析与净化处理之前进行授权) represent 6 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.