CWE-797 Variant Incomplete

Only Filtering Special Elements at an Absolute Position

Definition

What is CWE-797?

This vulnerability occurs when software checks for dangerous characters or patterns only at a fixed, hardcoded location in input data. Because it ignores these same elements if they appear anywhere else, attackers can bypass the filter by simply moving the malicious content to a different position.

Imagine a filter that only removes a semicolon if it's exactly the 10th character, believing this will prevent SQL injection. An attacker can easily bypass this by adding a few harmless characters at the start, moving the malicious semicolon to the 11th position. The filter sees nothing wrong at its one checked spot and lets the tainted data pass through, leading to a successful attack. This flaw stems from a misunderstanding of input validation. Effective security requires checking all input comprehensively, not just sampling a single location. Developers should use allowlists or context-aware encoding that processes the entire data stream, ensuring dangerous elements are neutralized no matter where they appear.

Real-world impact

Real-world CVEs caused by CWE-797

No public CVE references are linked to this CWE in MITRE's catalog yet.

How attackers exploit it

Step-by-step attacker path

1
The following code takes untrusted input and uses a substring function to filter a 3-character "../" element located at the 0-index position of the input string. It then appends this result to the /home/user/ directory and attempts to read the file in the final resulting path.
2
Since the if function is only looking for a substring of "../" between the 0 and 2 position, it only removes that specific "../" element. So an input value such as:
3
will have the first "../" filtered, resulting in:
4
This value is then concatenated with the /home/user/ directory:
5
which causes the /etc/passwd file to be retrieved once the operating system has resolved the ../ sequences in the pathname. This leads to relative path traversal (CWE-22).

Vulnerable code example

Vulnerable Perl

The following code takes untrusted input and uses a substring function to filter a 3-character "../" element located at the 0-index position of the input string. It then appends this result to the /home/user/ directory and attempts to read the file in the final resulting path.

Vulnerable Perl

my $Username = GetUntrustedInput();
  if (substr($Username, 0, 3) eq '../') {
  	$Username = substr($Username, 3);
  }
  my $filename = "/home/user/" . $Username;
  ReadAndSendFile($filename);

Attacker payload

Since the if function is only looking for a substring of "../" between the 0 and 2 position, it only removes that specific "../" element. So an input value such as:

Attacker payload

../../../etc/passwd

Secure code example

Secure pseudo

// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}

What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.

Prevention checklist

How to prevent CWE-797

Architecture Use safe-by-default frameworks and APIs that prevent the unsafe pattern from being expressible.
Implementation Validate input at trust boundaries; use allowlists, not denylists.
Implementation Apply the principle of least privilege to credentials, file paths, and runtime permissions.
Testing Cover this weakness in CI: SAST rules + targeted unit tests for the data flow.
Operation Monitor logs for the runtime signals listed in the next section.

Detection signals

How to detect CWE-797

SAST High

Run static analysis (SAST) on the codebase looking for the unsafe pattern in the data flow.

DAST Moderate

Run dynamic application security testing against the live endpoint.

Runtime Moderate

Watch runtime logs for unusual exception traces, malformed input, or authorization bypass attempts.

Code review Moderate

Code review: flag any new code that handles input from this surface without using the validated framework helpers.

Plexicus auto-fix

Plexicus auto-detects CWE-797 and opens a fix PR in under 60 seconds.

Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.

Get a demo Try Plexicus free

Frequently asked questions

What is CWE-797?

How serious is CWE-797?

MITRE has not published a likelihood-of-exploit rating for this weakness. Treat it as medium-impact until your threat model proves otherwise.

What languages or platforms are affected by CWE-797?

MITRE has not specified affected platforms for this CWE — it can apply across most application stacks.

How can I prevent CWE-797?

Use safe-by-default frameworks, validate untrusted input at trust boundaries, and apply the principle of least privilege. Cover the data-flow signature in CI with SAST.

How does Plexicus detect and fix CWE-797?

Plexicus's SAST engine matches the data-flow signature for CWE-797 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.

Where can I learn more about CWE-797?

MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/797.html. You can also reference OWASP and NIST documentation for adjacent guidance.

Related weaknesses

Weaknesses related to CWE-797

CWE-795 Parent

Only Filtering Special Elements at a Specified Location

This vulnerability occurs when a security filter only checks for dangerous input patterns at specific, predefined locations within the…

CWE-796 Sibling

Only Filtering Special Elements Relative to a Marker

This vulnerability occurs when software filters dangerous inputs or characters, but only checks for them in specific, expected locations…

Resources

Don't Let Security
Weigh You Down.

Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.

Get started free Book a demo