CWE-393 Base Draft

Return of Wrong Status Code

This vulnerability occurs when a function returns an inaccurate status code or value that misrepresents the actual outcome of an operation. This false signal can cause the application to behave in…

Definition

What is CWE-393?

This vulnerability occurs when a function returns an inaccurate status code or value that misrepresents the actual outcome of an operation. This false signal can cause the application to behave in unexpected and potentially insecure ways.
When a system relies on these incorrect return codes to make decisions, it can lead to unpredictable application states, logic errors, and instability. For example, a function might incorrectly report a successful file deletion or a failed authentication check, causing the program flow to proceed down the wrong path. If these status checks are part of security-critical logic—like access control, authentication, or data validation—the consequences are severe. The application might grant access to unauthorized users, assume a dangerous operation succeeded safely, or fail to alert on genuine security failures, creating hidden vulnerabilities that attackers can exploit.
Real-world impact

Real-world CVEs caused by CWE-393

  • CVE-2003-1132

    DNS server returns wrong response code for non-existent AAAA record, which effectively says that the domain is inaccessible.

  • CVE-2001-1509

    Hardware-specific implementation of system call causes incorrect results from geteuid.

  • CVE-2001-1559

    Chain: System call returns wrong value (CWE-393), leading to a resultant NULL dereference (CWE-476).

  • CVE-2014-1266

    chain: incorrect "goto" in Apple SSL product bypasses certificate validation, allowing Adversary-in-the-Middle (AITM) attack (Apple "goto fail" bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-561 (Dead Code) -> CWE-295 (Improper Certificate Validation) -> CWE-393 (Return of Wrong Status Code) -> CWE-300 (Channel Accessible by Non-Endpoint).

How attackers exploit it

Step-by-step attacker path

  1. 1

    Identify a code path that handles untrusted input without validation.

  2. 2

    Craft a payload that exercises the unsafe behavior — injection, traversal, overflow, or logic abuse.

  3. 3

    Deliver the payload through a normal request and observe the application's reaction.

  4. 4

    Iterate until the response leaks data, executes attacker code, or escalates privileges.

Vulnerable code example

Vulnerable Java

In the following example, an HTTP 404 status code is returned in the event of an IOException encountered in a Java servlet. A 404 code is typically meant to indicate a non-existent resource and would be somewhat misleading in this case.

Vulnerable Java 
try {
```
// something that might throw IOException* 
  		...} catch (IOException ioe) {
  ```
  	response.sendError(SC_NOT_FOUND);
  }
Secure code example

Secure pseudo

Secure pseudo 
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Prevention checklist

How to prevent CWE-393

  • Architecture Use safe-by-default frameworks and APIs that prevent the unsafe pattern from being expressible.
  • Implementation Validate input at trust boundaries; use allowlists, not denylists.
  • Implementation Apply the principle of least privilege to credentials, file paths, and runtime permissions.
  • Testing Cover this weakness in CI: SAST rules + targeted unit tests for the data flow.
  • Operation Monitor logs for the runtime signals listed in the next section.
Detection signals

How to detect CWE-393

Fuzzing High

Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.

Plexicus auto-fix

Plexicus auto-detects CWE-393 and opens a fix PR in under 60 seconds.

Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.

Get a demo Try Plexicus free
Frequently asked questions

Frequently asked questions

What is CWE-393?

This vulnerability occurs when a function returns an inaccurate status code or value that misrepresents the actual outcome of an operation. This false signal can cause the application to behave in unexpected and potentially insecure ways.

How serious is CWE-393?

MITRE has not published a likelihood-of-exploit rating for this weakness. Treat it as medium-impact until your threat model proves otherwise.

What languages or platforms are affected by CWE-393?

MITRE has not specified affected platforms for this CWE — it can apply across most application stacks.

How can I prevent CWE-393?

Use safe-by-default frameworks, validate untrusted input at trust boundaries, and apply the principle of least privilege. Cover the data-flow signature in CI with SAST.

How does Plexicus detect and fix CWE-393?

Plexicus's SAST engine matches the data-flow signature for CWE-393 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.

Where can I learn more about CWE-393?

MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/393.html. You can also reference OWASP and NIST documentation for adjacent guidance.

Related weaknesses

Weaknesses related to CWE-393

CWE-684 Parent

Incorrect Provision of Specified Functionality

This weakness occurs when software behaves differently than its documented specifications, which can mislead users and create security…

CWE-1245 Sibling

Improper Finite State Machines (FSMs) in Hardware Logic

This vulnerability occurs when hardware logic contains flawed Finite State Machines (FSMs). Attackers can exploit these design errors to…

CWE-392 Sibling

Missing Report of Error Condition

This vulnerability occurs when a system fails to properly signal that an error has happened. Instead of returning a clear error code,…

CWE-440 Sibling

Expected Behavior Violation

This weakness occurs when a software component, such as a function, API, or feature, fails to act as documented or intended. The system's…

CWE-446 Sibling

UI Discrepancy for Security Feature

This vulnerability occurs when a user interface incorrectly displays a security feature as active or properly configured, misleading users…

CWE-451 Sibling

User Interface (UI) Misrepresentation of Critical Information

This vulnerability occurs when a user interface fails to accurately display or highlight crucial information, potentially misleading users…

CWE-912 Sibling

Hidden Functionality

Hidden functionality refers to undocumented features, commands, or code within a product that are not part of its official specification…

Resources

Further reading

Ready when you are

Don't Let Security
Weigh You Down.

Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.

Get started free Book a demo