CWE-117 Base Draft Medium likelihood

Improper Output Neutralization for Logs

This vulnerability occurs when an application creates log entries using unvalidated external data, allowing attackers to inject malicious characters or commands that can corrupt log files, trigger…

Definition

What is CWE-117?

This vulnerability occurs when an application creates log entries using unvalidated external data, allowing attackers to inject malicious characters or commands that can corrupt log files, trigger parsing errors, or enable log injection attacks.
Log injection happens when user-supplied data containing special characters like newlines (\n), carriage returns (\r), or log-specific control sequences is written directly into log files without proper sanitization. Attackers can exploit this to forge fake log entries, break log file formatting, or obfuscate their malicious activities by injecting deceptive lines that mislead forensic analysis. To prevent this, developers should treat log entries as structured data rather than free-form text. Always sanitize or encode external inputs before writing them to logs, using appropriate logging frameworks that automatically handle escaping. Consider using parameterized logging functions that separate data from the log message template, which neutralizes dangerous characters while maintaining log integrity and readability.
Vulnerability Diagram CWE-117
Log Injection Username bob\nADMIN: login OK app.log 12:00 INFO login user=bob ADMIN: login OK ← forged 12:01 INFO list page SOC analyst misled by fake events Newlines in input forge log entries and hide attacker traces.
Real-world impact

Real-world CVEs caused by CWE-117

  • CVE-2006-4624

    Chain: inject fake log entries with fake timestamps using CRLF injection

How attackers exploit it

Step-by-step attacker path

  1. 1

    The following web application code attempts to read an integer value from a request object. If the parseInt call fails, then the input is logged with an error message indicating what happened.

  2. 2

    If a user submits the string "twenty-one" for val, the following entry is logged:

  3. 3

    - INFO: Failed to parse val=twenty-one

  4. 4

    However, if an attacker submits the string "twenty-one%0a%0aINFO:+User+logged+out%3dbadguy", the following entry is logged:

  5. 5

    - INFO: Failed to parse val=twenty-one - INFO: User logged out=badguy

Vulnerable code example

Vulnerable Java

The following web application code attempts to read an integer value from a request object. If the parseInt call fails, then the input is logged with an error message indicating what happened.

Vulnerable Java 
String val = request.getParameter("val");
  try {
  		int value = Integer.parseInt(val);
  }
  catch (NumberFormatException) {
  	log.info("Failed to parse val = " + val);
  }
  ...
Secure code example

Secure pseudo

Secure pseudo 
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Prevention checklist

How to prevent CWE-117

  • Implementation Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • Implementation Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.
  • Implementation Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
Detection signals

How to detect CWE-117

Automated Static Analysis High

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Plexicus auto-fix

Plexicus auto-detects CWE-117 and opens a fix PR in under 60 seconds.

Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.

Get a demo Try Plexicus free
Frequently asked questions

Frequently asked questions

What is CWE-117?

This vulnerability occurs when an application creates log entries using unvalidated external data, allowing attackers to inject malicious characters or commands that can corrupt log files, trigger parsing errors, or enable log injection attacks.

How serious is CWE-117?

MITRE rates the likelihood of exploit as Medium — exploitation is realistic but typically requires specific conditions.

What languages or platforms are affected by CWE-117?

MITRE has not specified affected platforms for this CWE — it can apply across most application stacks.

How can I prevent CWE-117?

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and…

How does Plexicus detect and fix CWE-117?

Plexicus's SAST engine matches the data-flow signature for CWE-117 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.

Where can I learn more about CWE-117?

MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/117.html. You can also reference OWASP and NIST documentation for adjacent guidance.

Related weaknesses

Weaknesses related to CWE-117

CWE-116 Parent

Improper Encoding or Escaping of Output

This vulnerability occurs when an application builds a structured message—like a query, command, or request—for another component but…

CWE-644 Sibling

Improper Neutralization of HTTP Headers for Scripting Syntax

This vulnerability occurs when an application fails to properly sanitize or escape user-controlled data placed within HTTP response…

CWE-838 Sibling

Inappropriate Encoding for Output Context

This vulnerability occurs when a system uses one type of encoding for its output, but the component receiving that data expects a…

Resources

Further reading

Ready when you are

Don't Let Security
Weigh You Down.

Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.

Get started free Book a demo