Behavioral Problems

A category in the Common Weakness Enumeration published by The MITRE Corporation.


Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.

Weaknesses in this category are related to unexpected behaviors from code that an application uses.


Behavioral Change in New Version or Environment

A's behavior or functionality changes with a new version of A, or a new environment, which is not known (or manageable) by B.

Comparison Using Wrong Factors

The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect resu...

Compiler Optimization Removal or Modification of Security-critical Code

The developer builds a security-critical protection mechanism into the software, but the compiler optimizes the program such that the mechanism is removed or modified.

Execution After Redirect (EAR)

The web application sends a redirect to another location, but instead of exiting, it executes additional code.

Expected Behavior Violation

A feature, API, or function does not perform according to its specification.

Improper Enforcement of a Single, Unique Action

The software requires that an actor should only be able to perform an action once, or to have only one unique action, but the software does not enforce or improperly e...

Improper Enforcement of Behavioral Workflow

The software supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in...

Incomplete Model of Endpoint Features

A product acts as an intermediary or monitor between two or more endpoints, but it does not have a complete model of an endpoint's features, behaviors, or state, poten...

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, the...

Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.

Incorrect Behavior Order: Early Amplification

The software allows an entity to perform a legitimate but expensive operation before authentication or authorization has taken place.

Incorrect Behavior Order: Early Validation

The software validates input before applying protection mechanisms that modify the input, which could allow an attacker to bypass the validation via dangerous inputs t...

Incorrect Block Delimitation

The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error.

Loop with Unreachable Exit Condition ('Infinite Loop')

The program contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

Misinterpretation of Input

The software misinterprets an input, whether from an attacker or another product, in a security-relevant fashion.

Omitted Break Statement in Switch

The program omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the...

Operator Precedence Logic Error

The program uses an expression in which operator precedence causes incorrect logic to be used.

Processor Optimization Removal or Modification of Security-critical Code

The developer builds a security-critical protection mechanism into the software, but the processor optimizes the execution of the program such that the mechanism is re...

Use of Incorrect Operator

The programmer accidentally uses the wrong operator, which changes the application logic in security-relevant ways.


Software Development

This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development l...

Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.