CWE-150β€”Improper Neutralization of Escape, Meta, or Control Sequences

PUBLISHEDweakness record
released 2006-07-19 Β· last modified 2026-04-30

Metadata

CWE ID:
CWE-150
Abstraction:
Variant
Structure:
Simple
Status:
Incomplete
Release Date:
2006-07-19
Latest Modification Date:
2026-04-30

Weakness Name

Improper Neutralization of Escape, Meta, or Control Sequences

Description

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.

Common Consequences

Scope:
Integrity
Impact:
Execute Unauthorized Code or Commands, Hide Activities, Unexpected State
Notes:
ANSI escape codes can be used for low-severity attacks such as changing the color of console output, but they can also be used to arbitrarily move the cursor, clear the screen, and make fake prompts inside the interactive CLI via malicious user input. In some contexts - depending on the functionality of the terminal in use - ANSI escape codes can be used to execute arbitrary code.

Related Weaknesses