Corgea LogoCorgea Security Hub

CWE-394: Unexpected Status Code or Return Value

Learn about CWE-394 (Unexpected Status Code or Return Value), its security impact, exploitation methods, and prevention guidelines.

What is Unexpected Status Code or Return Value?

• Overview: This vulnerability occurs when a software product fails to handle unexpected status codes or return values from functions or operations. This means the product does not correctly anticipate all possible outcomes and does not have mechanisms to handle unexpected results, which could lead to unexpected behavior.

• Exploitation Methods:

  • Attackers can exploit this vulnerability by triggering functions to return unexpected values, potentially causing the software to behave in unintended ways.
  • Common attack patterns include sending unexpected input or manipulating the environment to force a function to return an unexpected value, such as error codes or alternative paths not typically accounted for.

• Security Impact:

  • Direct consequences of successful exploitation include program crashes, incorrect program behavior, and unauthorized actions.
  • Potential cascading effects might involve data corruption, data leaks, or denial of service if the unexpected return value is not properly managed.
  • Business impact can include financial loss, damage to reputation, and legal liabilities if the vulnerability leads to significant security breaches.

• Prevention Guidelines:

  • Specific code-level fixes include implementing comprehensive input validation, using exhaustive switch statements, and handling all possible return values from functions.
  • Security best practices involve thorough testing of all functions and scenarios, including edge cases, and ensuring robust error handling and logging.
  • Recommended tools and frameworks include static analysis tools to detect unhandled return values and automated testing frameworks to simulate unexpected conditions and test the software's response.

Corgea can automatically detect and fix Unexpected Status Code or Return Value in your codebase. Try Corgea free today.

Technical Details

Likelihood of Exploit: Not specified

Affected Languages: Not Language-Specific

Affected Technologies: Not specified

Vulnerable Code Example

JavaScript Example

// This function makes an API request but does not properly handle unexpected status codes
function fetchData() {
    fetch('https://api.example.com/data')
        .then(response => { // The response is checked only for a generic 'ok' status
            if (response.ok) { // This only checks if the response status is between 200 and 299
                return response.json();
            }
            // Does not handle specific status codes like 404 (Not Found) or 500 (Internal Server Error)
            throw new Error('Unexpected response'); // This throws a generic error for any non-2xx status
        })
        .then(data => {
            console.log('Data received:', data);
        })
        .catch(error => {
            console.error('Error:', error); // Catches the error but does not provide specific information
        });
}

How to fix Unexpected Status Code or Return Value?

To fix this vulnerability, you need to explicitly check for and handle specific HTTP status codes that indicate different types of errors. This allows your application to respond appropriately to different situations, such as retrying a request on a server error or informing the user of a missing resource. By doing so, you can provide more meaningful feedback and take corrective actions based on the specific error encountered.

How to fix Unexpected Status Code or Return Value?

Fixed Code Example

// This function now properly handles unexpected status codes by checking for specific codes
function fetchData() {
    fetch('https://api.example.com/data')
        .then(response => {
            if (response.status === 200) { // Explicitly checks for a 200 OK status
                return response.json();
            } else if (response.status === 404) { // Handle specific 404 Not Found error
                throw new Error('Resource not found (404)');
            } else if (response.status === 500) { // Handle specific 500 Internal Server Error
                throw new Error('Server error (500), please try again later');
            } else {
                throw new Error(`Unexpected status code: \${response.status}`); // Handle any other unexpected status codes
            }
        })
        .then(data => {
            console.log('Data received:', data);
        })
        .catch(error => {
            console.error('Error:', error); // Logs a more specific error message based on the status code
        });
}

In the fixed code example, the function fetchData now checks for specific HTTP status codes (200, 404, 500, etc.) and handles each appropriately. This approach allows the application to provide more specific feedback and handling logic, improving the overall robustness and user experience of the application. By explicitly checking for and responding to different status codes, the application can provide more meaningful error messages and take appropriate actions based on the type of error encountered.

Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-394: Unexpected Status Code or Return Value and get remediation guidance

Start for free and no credit card needed.