CWE-179 Base Incomplete

Incorrect Behavior Order: Early Validation

Q: How serious is CWE-179?

MITRE has not published a likelihood-of-exploit rating for this weakness. Treat it as medium-impact until your threat model proves otherwise.

Q: What languages or platforms are affected by CWE-179?

MITRE has not specified affected platforms for this CWE — it can apply across most application stacks.

Q: How can I prevent CWE-179?

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

Q: How does Plexicus detect and fix CWE-179?

Plexicus's SAST engine matches the data-flow signature for CWE-179 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.

Q: Where can I learn more about CWE-179?

MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/179.html. You can also reference OWASP and NIST documentation for adjacent guidance.

This vulnerability occurs when an application validates user input before applying security filters or data normalization. Attackers can exploit this order of operations by submitting specially…

Definition

What is CWE-179?

This vulnerability occurs when an application validates user input before applying security filters or data normalization. Attackers can exploit this order of operations by submitting specially crafted input that passes the initial validation but becomes malicious after the application's filters or canonicalization processes modify it.

To prevent this flaw, validation logic must always run after data normalization and cleansing steps. Common operations like URL decoding, removing whitespace, or converting character encodings can change the input's structure. If you check for threats before these transformations, you create a window where a harmless-looking payload can be altered into a dangerous command, SQL injection, or path traversal attack after it's already been approved. Think of it as checking a guest's ID before they take off a disguise. The secure approach is to first standardize the input (e.g., decode all entities, resolve paths), then cleanse it, and finally validate the sanitized result against your security rules. This ensures you are evaluating the actual data that will be used by your application's core logic, closing the bypass opportunity.

Real-world impact

Real-world CVEs caused by CWE-179

CVE-2002-0433

Product allows remote attackers to view restricted files via an HTTP request containing a "*" (wildcard or asterisk) character.
CVE-2003-0332

Product modifies the first two letters of a filename extension after performing a security check, which allows remote attackers to bypass authentication via a filename with a .ats extension instead of a .hts extension.
CVE-2002-0802

Database consumes an extra character when processing a character that cannot be converted, which could remove an escape character from the query and make the application subject to SQL injection attacks.
CVE-2000-0191

Overlaps "fakechild/../realchild"
CVE-2004-2363

Product checks URI for "<" and other literal characters, but does it before hex decoding the URI, so "%3E" and other sequences are allowed.
CVE-2002-0934

Directory traversal vulnerability allows remote attackers to read or modify arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence.
CVE-2003-0282

Directory traversal vulnerability allows attackers to overwrite arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence.

How attackers exploit it

Step-by-step attacker path

1
The following code attempts to validate a given input path by checking it against an allowlist and then return the canonical path. In this specific case, the path is considered valid if it starts with the string "/safe_dir/".
2
The problem with the above code is that the validation step occurs before canonicalization occurs. An attacker could provide an input path of "/safe_dir/../" that would pass the validation step. However, the canonicalization process sees the double dot as a traversal to the parent directory and hence when canonicized the path would become just "/".
3
To avoid this problem, validation should occur after canonicalization takes place. In this case canonicalization occurs during the initialization of the File object. The code below fixes the issue.
4
This script creates a subdirectory within a user directory and sets the user as the owner.
5
While the script attempts to screen for '..' sequences, an attacker can submit a directory path including ".~.", which will then become ".." after the filtering step. This allows a Path Traversal (CWE-21) attack to occur.

Vulnerable code example

Vulnerable Java

The following code attempts to validate a given input path by checking it against an allowlist and then return the canonical path. In this specific case, the path is considered valid if it starts with the string "/safe_dir/".

Vulnerable Java

String path = getInputPath();
  if (path.startsWith("/safe_dir/"))
  {
  	File f = new File(path);
  	return f.getCanonicalPath();
  }

Secure code example

Secure Java

To avoid this problem, validation should occur after canonicalization takes place. In this case canonicalization occurs during the initialization of the File object. The code below fixes the issue.

Secure Java

String path = getInputPath();
  File f = new File(path);
  if (f.getCanonicalPath().startsWith("/safe_dir/"))
  {
  	return f.getCanonicalPath();
  }

What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.

Prevention checklist

How to prevent CWE-179

Implementation Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

Detection signals

How to detect CWE-179

SAST High

Run static analysis (SAST) on the codebase looking for the unsafe pattern in the data flow.

DAST Moderate

Run dynamic application security testing against the live endpoint.

Runtime Moderate

Watch runtime logs for unusual exception traces, malformed input, or authorization bypass attempts.

Code review Moderate

Code review: flag any new code that handles input from this surface without using the validated framework helpers.

Plexicus auto-fix

Plexicus auto-detects CWE-179 and opens a fix PR in under 60 seconds.

Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.

Get a demo Try Plexicus free

Frequently asked questions

What is CWE-179?

How serious is CWE-179?

MITRE has not published a likelihood-of-exploit rating for this weakness. Treat it as medium-impact until your threat model proves otherwise.

What languages or platforms are affected by CWE-179?

MITRE has not specified affected platforms for this CWE — it can apply across most application stacks.

How can I prevent CWE-179?

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

How does Plexicus detect and fix CWE-179?

Plexicus's SAST engine matches the data-flow signature for CWE-179 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.

Where can I learn more about CWE-179?

MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/179.html. You can also reference OWASP and NIST documentation for adjacent guidance.

Related weaknesses

Weaknesses related to CWE-179

CWE-696 Parent

Don't Let Security
Weigh You Down.

Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.

Get started free Book a demo

Incorrect Behavior Order: Early Validation

What is CWE-179?

Real-world CVEs caused by CWE-179

Step-by-step attacker path

Vulnerable Java

Secure Java

How to prevent CWE-179

How to detect CWE-179

Plexicus auto-detects CWE-179 and opens a fix PR in under 60 seconds.

Frequently asked questions

Weaknesses related to CWE-179