CWE-1389β€”Incorrect Parsing of Numbers with Different Radices

PUBLISHEDweakness record
released 2022-10-13 Β· last modified 2025-12-11

Metadata

CWE ID:
CWE-1389
Abstraction:
Base
Structure:
Simple
Status:
Incomplete
Release Date:
2022-10-13
Latest Modification Date:
2025-12-11

Weakness Name

Incorrect Parsing of Numbers with Different Radices

Description

The product parses numeric input assuming base 10 (decimal) values, but it does not account for inputs that use a different base number (radix).

Frequently, a numeric input that begins with "0" is treated as octal, or "0x" causes it to be treated as hexadecimal, e.g. by the inet_addr() function. For example, "023" (octal) is 35 decimal, or "0x31" is 49 decimal. Other bases may be used as well. If the developer assumes decimal-only inputs, the code could produce incorrect numbers when the inputs are parsed using a different base. This can result in unexpected and/or dangerous behavior. For example, a "0127.0.0.1" IP address is parsed as octal due to the leading "0", whose numeric value would be the same as 87.0.0.1 (decimal), where the developer likely expected to use 127.0.0.1. The consequences vary depending on the surrounding code in which this weakness occurs, but they can include bypassing network-based access control using unexpected IP addresses or netmasks, or causing apparently-symbolic identifiers to be processed as if they are numbers. In web applications, this can enable bypassing of SSRF restrictions.

Common Consequences

Scope:
Confidentiality
Impact:
Read Application Data
Notes:
An attacker may use an unexpected numerical base to access private application resources.
Scope:
Integrity
Impact:
Bypass Protection Mechanism, Alter Execution Logic
Notes:
An attacker may use an unexpected numerical base to bypass or manipulate access control mechanisms.

Related Weaknesses