CWE-697 Pillar Incomplete

Incorrect Comparison

This weakness occurs when a security-critical decision relies on a flawed comparison between two pieces of data. The incorrect logic can create a gap that attackers exploit to bypass checks or…

Definition

What is CWE-697?

This weakness occurs when a security-critical decision relies on a flawed comparison between two pieces of data. The incorrect logic can create a gap that attackers exploit to bypass checks or trigger unintended behavior.

Incorrect comparisons often happen because the check is too simplistic for the security context. For example, a developer might validate only one attribute when multiple factors should be considered, compare the wrong values entirely, or implement the comparison logic incorrectly (like using the wrong operator). This creates a mismatch between the intended security rule and what the code actually enforces. From a developer's perspective, this flaw is a logic bug in a security gate. It's not about missing a check, but about writing a check that doesn't work as intended. To prevent it, carefully review any comparison used for authentication, authorization, input validation, or state change decisions. Ensure it evaluates all necessary conditions with precise logic and test it with both valid and malicious edge cases.

Real-world impact

Real-world CVEs caused by CWE-697

CVE-2021-3116

Chain: Python-based HTTP Proxy server uses the wrong boolean operators (CWE-480) causing an incorrect comparison (CWE-697) that identifies an authN failure if all three conditions are met instead of only one, allowing bypass of the proxy authentication (CWE-1390)
CVE-2020-15811

Chain: Proxy uses a substring search instead of parsing the Transfer-Encoding header (CWE-697), allowing request splitting (CWE-113) and cache poisoning
CVE-2016-10003

Proxy performs incorrect comparison of request headers, leading to infoleak

How attackers exploit it

Step-by-step attacker path

1
Consider an application in which Truck objects are defined to be the same if they have the same make, the same model, and were manufactured in the same year.
2
Here, the equals() method only checks the make and model of the Truck objects, but the year of manufacture is not included.
3
This example defines a fixed username and password. The AuthenticateUser() function is intended to accept a username and a password from an untrusted user, and check to ensure that it matches the username and password. If the username and password match, AuthenticateUser() is intended to indicate that authentication succeeded.
4
In AuthenticateUser(), the strncmp() call uses the string length of an attacker-provided inPass parameter in order to determine how many characters to check in the password. So, if the attacker only provides a password of length 1, the check will only examine the first byte of the application's password before determining success.
5
As a result, this partial comparison leads to improper authentication (CWE-287).

Vulnerable code example

Vulnerable Java

Consider an application in which Truck objects are defined to be the same if they have the same make, the same model, and were manufactured in the same year.

Vulnerable Java

public class Truck {
  		private String make;
  		private String model;
  		private int year;
  		public boolean equals(Object o) {
  				if (o == null) return false;
  				if (o == this) return true;
  				if (!(o instanceof Truck)) return false;
  				Truck t = (Truck) o;
  				return (this.make.equals(t.getMake()) && this.model.equals(t.getModel()));
  		}
  }

Attacker payload

Any of these passwords would still cause authentication to succeed for the "admin" user:

Attacker payload

p
  pa
  pas
  pass

Secure code example

Secure pseudo

// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}

What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.

Prevention checklist

How to prevent CWE-697

Architecture Use safe-by-default frameworks and APIs that prevent the unsafe pattern from being expressible.
Implementation Validate input at trust boundaries; use allowlists, not denylists.
Implementation Apply the principle of least privilege to credentials, file paths, and runtime permissions.
Testing Cover this weakness in CI: SAST rules + targeted unit tests for the data flow.
Operation Monitor logs for the runtime signals listed in the next section.

Detection signals

How to detect CWE-697

SAST High

Run static analysis (SAST) on the codebase looking for the unsafe pattern in the data flow.

DAST Moderate

Run dynamic application security testing against the live endpoint.

Runtime Moderate

Watch runtime logs for unusual exception traces, malformed input, or authorization bypass attempts.

Code review Moderate

Code review: flag any new code that handles input from this surface without using the validated framework helpers.

Plexicus auto-fix

Plexicus auto-detects CWE-697 and opens a fix PR in under 60 seconds.

Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.

Get a demo Try Plexicus free

Frequently asked questions

What is CWE-697?

How serious is CWE-697?

MITRE has not published a likelihood-of-exploit rating for this weakness. Treat it as medium-impact until your threat model proves otherwise.

What languages or platforms are affected by CWE-697?

MITRE lists the following affected platforms: Not Technology-Specific.

How can I prevent CWE-697?

Use safe-by-default frameworks, validate untrusted input at trust boundaries, and apply the principle of least privilege. Cover the data-flow signature in CI with SAST.

How does Plexicus detect and fix CWE-697?

Plexicus's SAST engine matches the data-flow signature for CWE-697 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.

Where can I learn more about CWE-697?

MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/697.html. You can also reference OWASP and NIST documentation for adjacent guidance.

Related weaknesses

Weaknesses related to CWE-697

CWE-1023 Child

Don't Let Security
Weigh You Down.

Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.

Incorrect Comparison

What is CWE-697?

Real-world CVEs caused by CWE-697

Step-by-step attacker path

Vulnerable Java

Secure pseudo

How to prevent CWE-697

How to detect CWE-697

Plexicus auto-detects CWE-697 and opens a fix PR in under 60 seconds.

Frequently asked questions

Weaknesses related to CWE-697

Incomplete Comparison with Missing Factors

Comparison of Incompatible Types

Comparison Using Wrong Factors

Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism

Floating Point Comparison with Incorrect Operator