CWE-184 Base Draft

Incomplete List of Disallowed Inputs

This vulnerability occurs when a security filter or validation mechanism relies on a 'denylist'—a predefined list of forbidden inputs—but that list is missing critical entries. Attackers can bypass…

Definition

What is CWE-184?

Denylist-based security is fundamentally fragile because it requires developers to predict and block every possible bad input. This approach often fails against sophisticated attacks, as attackers constantly evolve their techniques to use new encodings, character sequences, or command variations that aren't on the list. Relying solely on a denylist creates a false sense of security and is difficult to maintain over time. For stronger protection, prioritize 'allowlisting' (only permitting known-good patterns) over denylisting. If a denylist is unavoidable, complement it with other defenses like strict input validation, output encoding, and security libraries designed to handle the specific threat. Always assume your denylist is incomplete and design your system to fail safely when an unexpected input is encountered.

Vulnerability Diagram CWE-184

Real-world impact

Real-world CVEs caused by CWE-184

CVE-2024-4315

Chain: API for text generation using Large Language Models (LLMs) does not include the "\" Windows folder separator in its denylist (CWE-184) when attempting to prevent Local File Inclusion via path traversal (CWE-22), allowing deletion of arbitrary files on Windows systems.
CVE-2008-2309

product uses a denylist to identify potentially dangerous content, allowing attacker to bypass a warning
CVE-2005-2782

PHP remote file inclusion in web application that filters "http" and "https" URLs, but not "ftp".
CVE-2004-0542

Programming language does not filter certain shell metacharacters in Windows environment.
CVE-2004-0595

XSS filter doesn't filter null characters before looking for dangerous tags, which are ignored by web browsers. MIE and validate-before-cleanse.
CVE-2005-3287

Web-based mail product doesn't restrict dangerous extensions such as ASPX on a web server, even though others are prohibited.
CVE-2004-2351

Resultant XSS when only and are checked.
CVE-2005-2959

Privileged program does not clear sensitive environment variables that are used by bash. Overlaps multiple interpretation error.

How attackers exploit it

Step-by-step attacker path

1
Identify a code path that handles untrusted input without validation.
2
Craft a payload that exercises the unsafe behavior — injection, traversal, overflow, or logic abuse.
3
Deliver the payload through a normal request and observe the application's reaction.
4
Iterate until the response leaks data, executes attacker code, or escalates privileges.

Vulnerable code example

Vulnerable Java

The following code attempts to stop XSS attacks by removing all occurences of "script" in an input string.

Vulnerable Java

public String removeScriptTags(String input, String mask) {
  	return input.replaceAll("script", mask);
  }

Secure code example

Secure pseudo

// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}

What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.

Prevention checklist

How to prevent CWE-184

Implementation Do not rely exclusively on detecting disallowed inputs. There are too many variants to encode a character, especially when different environments are used, so there is a high likelihood of missing some variants. Only use detection of disallowed inputs as a mechanism for detecting suspicious activity. Ensure that you are using other protection mechanisms that only identify "good" input - such as lists of allowed inputs - and ensure that you are properly encoding your outputs.

Detection signals

How to detect CWE-184

Black Box

Exploitation of a vulnerability with commonly-used manipulations might fail, but minor variations might succeed.

Plexicus auto-fix

Plexicus auto-detects CWE-184 and opens a fix PR in under 60 seconds.

Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.

Get a demo Try Plexicus free

Frequently asked questions

What is CWE-184?

How serious is CWE-184?

MITRE has not published a likelihood-of-exploit rating for this weakness. Treat it as medium-impact until your threat model proves otherwise.

What languages or platforms are affected by CWE-184?

MITRE has not specified affected platforms for this CWE — it can apply across most application stacks.

How can I prevent CWE-184?

Do not rely exclusively on detecting disallowed inputs. There are too many variants to encode a character, especially when different environments are used, so there is a high likelihood of missing some variants. Only use detection of disallowed inputs as a mechanism for detecting suspicious activity. Ensure that you are using other protection mechanisms that only identify "good" input - such as lists of allowed inputs - and ensure that you are properly encoding your outputs.

How does Plexicus detect and fix CWE-184?

Plexicus's SAST engine matches the data-flow signature for CWE-184 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.

Where can I learn more about CWE-184?

MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/184.html. You can also reference OWASP and NIST documentation for adjacent guidance.

Related weaknesses

Weaknesses related to CWE-184

CWE-693 Parent

Don't Let Security
Weigh You Down.

Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.

Get started free Book a demo

Incomplete List of Disallowed Inputs

What is CWE-184?

Real-world CVEs caused by CWE-184

Step-by-step attacker path

Vulnerable Java

Secure pseudo

How to prevent CWE-184

How to detect CWE-184

Plexicus auto-detects CWE-184 and opens a fix PR in under 60 seconds.

Frequently asked questions

Weaknesses related to CWE-184

Protection Mechanism Failure

Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism

Semiconductor Defects in Hardware Logic with Security-Sensitive Implications

Incorrect Selection of Fuse Values

Product Released in Non-Release Configuration

Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques

Public Key Re-Use for Signing both Debug and Production Code

Missing Support for Security Features in On-chip Fabrics or Buses

Improper Protection against Electromagnetic Fault Injection (EM-FI)

Further reading

Don't Let Security
Weigh You Down.

Incomplete List of Disallowed Inputs

What is CWE-184?

Real-world CVEs caused by CWE-184

Step-by-step attacker path

Vulnerable Java

Secure pseudo

How to prevent CWE-184

How to detect CWE-184

Plexicus auto-detects CWE-184 and opens a fix PR in under 60 seconds.

Frequently asked questions

Weaknesses related to CWE-184

Protection Mechanism Failure

Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism

Semiconductor Defects in Hardware Logic with Security-Sensitive Implications

Incorrect Selection of Fuse Values

Product Released in Non-Release Configuration

Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques

Public Key Re-Use for Signing both Debug and Production Code

Missing Support for Security Features in On-chip Fabrics or Buses

Improper Protection against Electromagnetic Fault Injection (EM-FI)

Further reading

Don't Let SecurityWeigh You Down.

Don't Let Security
Weigh You Down.