Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-670 (控制流实现总是不正确) — Vulnerability Class 70

70 vulnerabilities classified as CWE-670 (控制流实现总是不正确). AI Chinese analysis included.

CWE-670 represents a critical implementation flaw where the actual control flow diverges from the intended algorithmic logic, resulting in consistent incorrect behavior whenever the erroneous path is executed. This weakness typically arises from misunderstandings of language syntax, such as omitting braces in conditional statements or misusing loop structures, causing unintended execution sequences. Attackers exploit these logical gaps to bypass security checks, manipulate data integrity, or trigger denial-of-service conditions by forcing the application down an unexpected code path. To prevent CWE-670, developers must rigorously adhere to coding standards, utilize static analysis tools to detect structural anomalies, and employ comprehensive unit testing that specifically targets edge cases and complex branching logic. Clear code formatting and peer reviews further ensure that the implemented flow accurately mirrors the designed algorithm, eliminating ambiguity and ensuring predictable system behavior.

MITRE CWE Description
The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated. This weakness captures cases in which a particular code segment is always incorrect with respect to the algorithm that it is implementing. For example, if a C programmer intends to include multiple statements in a single block but does not include the enclosing braces (CWE-483), then the logic is always incorrect. This issue is in contrast to most weaknesses in which the code usually behaves correctly, except when it is externally manipulated in malicious ways.
Common Consequences (1)
OtherOther, Alter Execution Logic
Examples (2)
This code queries a server and displays its status when a request comes from an authorized IP address.
$requestingIP = $_SERVER['REMOTE_ADDR']; if(!in_array($requestingIP,$ipAllowList)){ echo "You are not authorized to view this page"; http_redirect($errorPageURL); } $status = getServerStatus(); echo $status; ...
Bad · PHP
In this example, the programmer has indented the statements to call Do_X() and Do_Y(), as if the intention is that these functions are only called when the condition is true. However, because there are no braces to signify the block, Do_Y() will always be executed, even if the condition is false.
if (condition==true) Do_X(); Do_Y();
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2024-38365 btcd did not correctly re-implement Bitcoin Core's "FindAndDelete()" functionality — btcd 7.4 High2024-10-11
CVE-2024-25622 H2O ignores headers configuration directives — h2o 3.1 Low2024-10-11
CVE-2024-47168 The `enable_monitoring` flag set to `False` does not disable monitoring in Gradio — gradio 7.5AIHighAI2024-10-10
CVE-2024-47763 Wasmtime runtime crash when combining tail calls with trapping imports — wasmtime 5.5 Medium2024-10-09
CVE-2024-45807 oghttp2 crash on OnBeginHeadersForStream in envoy — envoy 7.5 High2024-09-19
CVE-2024-45298 Disabled user can bypass lockout by requesting password reset in wiki.js — wiki 4.3 Medium2024-09-18
CVE-2024-45311 Denial of service in quinn-proto when using `Endpoint::retry()` — quinn 7.5 High2024-09-02
CVE-2024-45304 OwnableTwoStep allows a pending owner to accept ownership after the original owner has renounced ownership in cairo-contracts — cairo-contracts 5.3 Medium2024-08-30
CVE-2024-5659 Rockwell Automation Multicast Request Causes major nonrecoverable fault on Select Controllers — ControlLogix® 5580 6.5AIMediumAI2024-06-14
CVE-2024-37153 Evmos's contract balance not updating correctly after interchain transaction — evmos 7.5 High2024-06-06
CVE-2024-35195 Requests `Session` object does not verify requests after making first request with verify=False — requests 5.6 Medium2024-05-20
CVE-2024-32971 Defect in query plan cache may cause incorrect operations to be executed in Apollo Router — router 9.1 Critical2024-05-02
CVE-2024-0313 Skyhigh Client Proxy 安全漏洞 — Skyhigh Client Proxy 5.5 Medium2024-03-14
CVE-2023-49798 Duplicated execution of subcalls in OpenZeppelin Contracts — openzeppelin-contracts 5.9 Medium2023-12-08
CVE-2023-41338 Vulnerability in Ctx.IsFromLocal() in gofiber — fiber 5.3 Medium2023-09-08
CVE-2023-23623 Content-Secrity-Policy disabling eval not applied consistently in renderers with sandbox disabled in Electron — electron 7.5 High2023-09-06
CVE-2023-41058 Trigger `beforeFind` not invoked in internal query pipeline in parse-server — parse-server 7.5 High2023-09-04
CVE-2023-40015 Vyper: reversed order of side effects for some operations — vyper 3.7 Low2023-09-04
CVE-2023-41052 Vyper: incorrect order of evaluation of side effects for some builtins — vyper 3.7 Low2023-09-04
CVE-2023-32675 Nonpayable default functions are sometimes payable in vyper — vyper 3.7 Low2023-05-19
CVE-2023-30629 Vyper's raw_call with outsize=0 and revert_on_failure=False returns incorrect success value — vyper 7.5 High2023-04-24
CVE-2021-43819 Stargate-Bukkit improperly handles vehicles causing data duplication. — Stargate-Bukkit 7.5 High2023-04-19
CVE-2023-1668 Open vSwitch 安全漏洞 — openvswitch 8.2 -2023-04-10
CVE-2022-25745 Always Incorrect Control Flow Implementation in MODEM — Snapdragon 9.8 Critical2023-04-04
CVE-2023-0400 Trellix Data Loss Prevention 代码问题漏洞 — Data Loss Prevention (DLP) 5.9 Medium2023-02-01
CVE-2022-41884 Seg fault in `ndarray_tensor_bridge` due to zero and large inputs in Tensorflow — tensorflow 4.8 Medium2022-11-18
CVE-2022-39354 evm has incorrect is_static parameter for custom stateful precompiles — evm 5.9 Medium2022-10-25
CVE-2022-35917 Weakness in Transfer Validation Logic in @solana/pay — solana-pay 5.3 Medium2022-08-01
CVE-2022-31111 Discrepency in transfer value and actual value due to incorrect truncation in Frontier — frontier 5.3 Medium2022-07-06
CVE-2022-31116 Incorrect handling of invalid surrogate pair characters in ujson — ultrajson 7.5 High2022-07-05

Vulnerabilities classified as CWE-670 (控制流实现总是不正确) represent 70 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.