CWE-584 Base Draft

Return Inside Finally Block

This vulnerability occurs when a function places a return statement inside a finally block. This dangerous pattern silently discards any unhandled exceptions thrown earlier in the try block, making…

Definition

What is CWE-584?

A finally block is designed to execute cleanup code regardless of whether an exception occurs in the try or catch blocks. However, if you place a return statement inside finally, it overrides the normal exception propagation. When an exception is thrown in the try block but not caught before finally executes, the return in the finally block takes precedence. The function then exits normally, returning a value and completely discarding the original exception, as if the error never happened. This creates a severe debugging and reliability issue because critical failure signals are lost. Developers are left with no stack trace, log entry, or indication that something went wrong, leading to silent data corruption, incorrect program states, and failures that are extremely difficult to diagnose. To avoid this, ensure return statements are placed in try or catch blocks, not in finally, and handle resource cleanup without altering the control flow for exceptions.

Real-world impact

Real-world CVEs caused by CWE-584

No public CVE references are linked to this CWE in MITRE's catalog yet.

How attackers exploit it

Step-by-step attacker path

1
Identify a code path that handles untrusted input without validation.
2
Craft a payload that exercises the unsafe behavior — injection, traversal, overflow, or logic abuse.
3
Deliver the payload through a normal request and observe the application's reaction.
4
Iterate until the response leaks data, executes attacker code, or escalates privileges.

Vulnerable code example

Vulnerable Java

In the following code excerpt, the IllegalArgumentException will never be delivered to the caller. The finally block will cause the exception to be discarded.

Vulnerable Java

try {
  	...
  	throw IllegalArgumentException();
  }
  finally {
  	return r;
  }

Secure code example

Secure pseudo

// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}

What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.

Prevention checklist

How to prevent CWE-584

Implementation Do not use a return statement inside the finally block. The finally block should have "cleanup" code.

Detection signals

How to detect CWE-584

Automated Static Analysis High

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Plexicus auto-fix

Plexicus auto-detects CWE-584 and opens a fix PR in under 60 seconds.

Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.

Get a demo Try Plexicus free

Frequently asked questions

What is CWE-584?

How serious is CWE-584?

MITRE has not published a likelihood-of-exploit rating for this weakness. Treat it as medium-impact until your threat model proves otherwise.

What languages or platforms are affected by CWE-584?

MITRE has not specified affected platforms for this CWE — it can apply across most application stacks.

How can I prevent CWE-584?

Do not use a return statement inside the finally block. The finally block should have "cleanup" code.

How does Plexicus detect and fix CWE-584?

Plexicus's SAST engine matches the data-flow signature for CWE-584 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.

Where can I learn more about CWE-584?

MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/584.html. You can also reference OWASP and NIST documentation for adjacent guidance.

Related weaknesses

Weaknesses related to CWE-584

CWE-705 Parent

Don't Let Security
Weigh You Down.

Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.

Get started free Book a demo

Return Inside Finally Block

What is CWE-584?

Real-world CVEs caused by CWE-584

Step-by-step attacker path

Vulnerable Java

Secure pseudo

How to prevent CWE-584

How to detect CWE-584

Plexicus auto-detects CWE-584 and opens a fix PR in under 60 seconds.

Frequently asked questions

Weaknesses related to CWE-584

Incorrect Control Flow Scoping

Uncaught Exception

J2EE Bad Practices: Use of System.exit()

Use of NullPointerException Catch to Detect NULL Pointer Dereference

Declaration of Catch for Generic Exception

Declaration of Throws for Generic Exception

Non-exit on Failed Initialization

Execution After Redirect (EAR)

Further reading

Don't Let Security
Weigh You Down.

Return Inside Finally Block

What is CWE-584?

Real-world CVEs caused by CWE-584

Step-by-step attacker path

Vulnerable Java

Secure pseudo

How to prevent CWE-584

How to detect CWE-584

Plexicus auto-detects CWE-584 and opens a fix PR in under 60 seconds.

Frequently asked questions

Weaknesses related to CWE-584

Incorrect Control Flow Scoping

Uncaught Exception

J2EE Bad Practices: Use of System.exit()

Use of NullPointerException Catch to Detect NULL Pointer Dereference

Declaration of Catch for Generic Exception

Declaration of Throws for Generic Exception

Non-exit on Failed Initialization

Execution After Redirect (EAR)

Further reading

Don't Let SecurityWeigh You Down.

Don't Let Security
Weigh You Down.