CWE-223 Base Draft

Omission of Security-relevant Information

This vulnerability occurs when an application fails to capture or present crucial security-related details, such as the origin of a request or the specifics of a security event. Without this…

Definition

What is CWE-223?

This vulnerability occurs when an application fails to capture or present crucial security-related details, such as the origin of a request or the specifics of a security event. Without this information, developers and security teams cannot effectively trace attacks or validate whether an operation is legitimate.
When security-relevant information is omitted, it creates a blind spot in your application's defense. Attackers can exploit this gap to launch attacks without leaving an audit trail, making it nearly impossible to perform forensic analysis, understand the attack vector, or attribute malicious activity. This lack of visibility undermines incident response and allows threats to persist undetected. To prevent this, ensure your application logs and displays key security events with sufficient context. This includes timestamps, source IP addresses, user identifiers, affected resources, and the nature of the action performed. Implementing structured logging and real-time monitoring dashboards turns this data into actionable intelligence, helping your team quickly identify, investigate, and mitigate security incidents.
Real-world impact

Real-world CVEs caused by CWE-223

  • CVE-1999-1029

    Login attempts are not recorded if the user disconnects before the maximum number of tries.

  • CVE-2002-1839

    Sender's IP address not recorded in outgoing e-mail.

  • CVE-2000-0542

    Failed authentication attempts are not recorded if later attempt succeeds.

How attackers exploit it

Step-by-step attacker path

  1. 1

    This code logs suspicious multiple login attempts.

  2. 2

    This code only logs failed login attempts when a certain limit is reached. If an attacker knows this limit, they can stop their attack from being discovered by avoiding the limit.

  3. 3

    This code prints the contents of a file if a user has permission.

  4. 4

    While the code logs a bad access attempt, it logs the user supplied name for the file, not the canonicalized file name. An attacker can obscure their target by giving the script the name of a link to the file they are attempting to access. Also note this code contains a race condition between the is_link() and readlink() functions (CWE-363).

Vulnerable code example

Vulnerable PHP

This code logs suspicious multiple login attempts.

Vulnerable PHP 
function login($userName,$password){
  		if(authenticate($userName,$password)){
  			return True;
  		}
  		else{
  			incrementLoginAttempts($userName);
  			if(recentLoginAttempts($userName) > 5){
  				writeLog("Failed login attempt by User: " . $userName . " at " + date('r') );
  			}
  		}
  }
Secure code example

Secure pseudo

Secure pseudo 
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Prevention checklist

How to prevent CWE-223

  • Architecture Use safe-by-default frameworks and APIs that prevent the unsafe pattern from being expressible.
  • Implementation Validate input at trust boundaries; use allowlists, not denylists.
  • Implementation Apply the principle of least privilege to credentials, file paths, and runtime permissions.
  • Testing Cover this weakness in CI: SAST rules + targeted unit tests for the data flow.
  • Operation Monitor logs for the runtime signals listed in the next section.
Detection signals

How to detect CWE-223

SAST High

Run static analysis (SAST) on the codebase looking for the unsafe pattern in the data flow.

DAST Moderate

Run dynamic application security testing against the live endpoint.

Runtime Moderate

Watch runtime logs for unusual exception traces, malformed input, or authorization bypass attempts.

Code review Moderate

Code review: flag any new code that handles input from this surface without using the validated framework helpers.

Plexicus auto-fix

Plexicus auto-detects CWE-223 and opens a fix PR in under 60 seconds.

Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.

Get a demo Try Plexicus free
Frequently asked questions

Frequently asked questions

What is CWE-223?

This vulnerability occurs when an application fails to capture or present crucial security-related details, such as the origin of a request or the specifics of a security event. Without this information, developers and security teams cannot effectively trace attacks or validate whether an operation is legitimate.

How serious is CWE-223?

MITRE has not published a likelihood-of-exploit rating for this weakness. Treat it as medium-impact until your threat model proves otherwise.

What languages or platforms are affected by CWE-223?

MITRE has not specified affected platforms for this CWE — it can apply across most application stacks.

How can I prevent CWE-223?

Use safe-by-default frameworks, validate untrusted input at trust boundaries, and apply the principle of least privilege. Cover the data-flow signature in CI with SAST.

How does Plexicus detect and fix CWE-223?

Plexicus's SAST engine matches the data-flow signature for CWE-223 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.

Where can I learn more about CWE-223?

MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/223.html. You can also reference OWASP and NIST documentation for adjacent guidance.

Related weaknesses

Weaknesses related to CWE-223

CWE-221 Parent

Information Loss or Omission

This weakness occurs when an application fails to log critical security events or records them inaccurately, which can misguide security…

CWE-222 Sibling

Truncation of Security-relevant Information

This vulnerability occurs when a system shortens or cuts off security-critical data during display, logging, or processing. This…

CWE-224 Sibling

Obscured Security-relevant Information by Alternate Name

This vulnerability occurs when a system logs or reports security-critical events using a nickname or alias for a component, instead of its…

CWE-356 Sibling

Product UI does not Warn User of Unsafe Actions

This vulnerability occurs when a software interface fails to alert users before they perform a risky action. Without clear warnings, users…

CWE-396 Sibling

Declaration of Catch for Generic Exception

This weakness occurs when code catches a generic exception type like 'Exception' or 'Throwable', which can hide specific errors and create…

CWE-397 Sibling

Declaration of Throws for Generic Exception

This vulnerability occurs when a method is declared to throw an overly broad exception type, such as a generic 'Exception' or 'Throwable'.…

CWE-451 Sibling

User Interface (UI) Misrepresentation of Critical Information

This vulnerability occurs when a user interface fails to accurately display or highlight crucial information, potentially misleading users…

CWE-1429 Child

Missing Security-Relevant Feedback for Unexecuted Operations in Hardware Interface

This vulnerability occurs when a hardware interface discards operations without providing any security-relevant feedback, such as error…

CWE-778 Child

Insufficient Logging

This weakness occurs when an application fails to properly record important security events or captures them with insufficient detail,…

Resources

Further reading

Ready when you are

Don't Let Security
Weigh You Down.

Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.