CWE-838
Inappropriate Encoding for Output Context
Extended description
This weakness can cause the downstream component to use a decoding method that produces different data than what the product intended to send. When the wrong encoding is used - even if closely related - the downstream component could decode the data incorrectly. This can have security consequences when the provided boundaries between control and data are inadvertently broken, because the resulting data could introduce control characters or special elements that were not sent by the product. The resulting data could then be used to bypass protection mechanisms such as input validation, and enable injection attacks. While using output encoding is essential for ensuring that communications between components are accurate, the use of the wrong encoding - even if closely related - could cause the downstream component to misinterpret the output. For example, HTML entity encoding is used for elements in the HTML body of a web page. However, a programmer might use entity encoding when generating output for that is used within an attribute of an HTML tag, which could contain functional Javascript that is not affected by the HTML encoding. While web applications have received the most attention for this problem, this weakness could potentially apply to any type of product that uses a communications stream that could support multiple encodings.
Common consequences1
- IntegrityConfidentialityAvailabilityModify Application DataExecute Unauthorized Code or Commands
An attacker could modify the structure of the message or data being sent to the downstream component, possibly injecting commands.
Potential mitigations3
- Implementation
Use context-aware encoding. That is, understand which encoding is being used by the downstream component, and ensure that this encoding is used. If an encoding can be specified, do so, instead of assuming that the default encoding is the same as the default being assumed by the downstream component.
- Architecture and Design
Where possible, use communications protocols or data formats that provide strict boundaries between control and data. If this is not feasible, ensure that the protocols or formats allow the communicating components to explicitly state which encoding/decoding method is being used. Some template frameworks provide built-in support.
- Architecture and Design
Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error. Note that some template mechanisms provide built-in support for the appropriate encoding.
CVEs referencing this CWE14
| CVE | Description | Severity | EPSS | Flags | Modified |
|---|---|---|---|---|---|
| CVE-2019-6110 | In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred. | MEDIUM6.8 | 21%p97 | PoC | 2025-12-18 |
| CVE-2020-10996 | An issue was discovered in Percona XtraDB Cluster before 5.7.28-31.41.2. A bundled script inadvertently sets a static transition_key for SST processes in place of the random key expected. | HIGH8.1 | 1.50%p71 | 2024-11-21 | |
| CVE-2019-18981 | Pimcore before 6.2.2 lacks an Access Denied outcome for a certain scenario of an incorrect recipient ID of a notification. | CRITICAL9.8 | 1.39%p69 | 2024-11-21 | |
| CVE-2023-6512 | Inappropriate implementation in Web Browser UI in Google Chrome prior to 120.0.6099.62 allowed a remote attacker to potentially spoof the contents of an iframe dialog context menu via a crafted HTML page. (Chromium security severity: Low) | MEDIUM6.5 | 1.29%p66 | 2025-05-28 | |
| CVE-2020-7292 | Inappropriate Encoding for output context vulnerability in McAfee Web Gateway (MWG) prior to 9.2.1 allows a remote attacker to cause MWG to return an ambiguous redirect response via getting a user to click on a malicious URL. | MEDIUM4.3 | 0.86%p54 | 2024-11-21 | |
| CVE-2025-4052 | Inappropriate implementation in DevTools in Google Chrome prior to 136.0.7103.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Low) | CRITICAL9.8 | 0.58%p43 | 2025-05-28 | |
| CVE-2023-3735 | Inappropriate implementation in Web API Permission Prompts in Google Chrome prior to 115.0.5790.98 allowed a remote attacker to obfuscate security UI via a crafted HTML page. (Chromium security severity: Medium) | MEDIUM4.3 | 0.57%p43 | 2025-07-09 | |
| CVE-2020-29135 | cPanel before 90.0.17 has multiple instances of URL parameter injection (SEC-567). | MEDIUM4.1 | 0.57%p43 | 2024-11-21 | |
| CVE-2024-11702 | Copying sensitive information from Private Browsing tabs on Android, such as passwords, may have inadvertently stored data in the cloud-based clipboard history if enabled. This vulnerability affects Firefox < 133 and Thunderbird < 133. | HIGH7.5 | 0.53%p40 | 2025-04-05 | |
| CVE-2022-43407 | Jenkins Pipeline: Input Step Plugin 451.vf1a_a_4f405289 and earlier does not restrict or sanitize the optionally specified ID of the 'input' step, which is used for the URLs that process user interactions for the given 'input' step (proceed or abort) and is not correctly encoded, allowing attackers able to configure Pipelines to have Jenkins build URLs from 'input' step IDs that would bypass the CSRF protection of any target URL in Jenkins when the 'input' step is interacted with. | HIGH8.8 | 0.49%p38 | 2025-05-08 | |
| CVE-2018-9862 | util.c in runV 1.0.0 for Docker mishandles a numeric username, which allows attackers to obtain root access by leveraging the presence of an initial numeric value on an /etc/passwd line, and then issuing a "docker exec" command with that value in the -u argument, a similar issue to CVE-2016-3697. | NONE | 0.45%p35 | 2024-11-21 | |
| CVE-2022-43408 | Jenkins Pipeline: Stage View Plugin 2.26 and earlier does not correctly encode the ID of 'input' steps when using it to generate URLs to proceed or abort Pipeline builds, allowing attackers able to configure Pipelines to specify 'input' step IDs resulting in URLs that would bypass the CSRF protection of any target URL in Jenkins. | MEDIUM6.5 | 0.44%p35 | 2025-05-08 | |
| CVE-2024-34006 | The site log report required additional encoding of event descriptions to ensure any HTML in the content is displayed in plaintext instead of being rendered. | MEDIUM4.3 | 0.35%p27 | 2025-05-30 | |
| CVE-2023-5770 | Proofpoint Enterprise Protection contains a vulnerability in the email delivery agent that allows an unauthenticated attacker to inject improperly encoded HTML into the email body of a message through the email subject. The vulnerability is caused by inappropriate encoding when rewriting the email before delivery.This issue affects Proofpoint Enterprise Protection: from 8.20.2 before patch 4809, from 8.20.0 before patch 4805, from 8.18.6 before patch 4804 and all other prior versions. | MEDIUM5.4 | 0.34%p26 | 2025-06-03 |