The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
Do not rely exclusively on detecting disallowed inputs. There are too many variants to encode a character, especially when different environments are used, so there is a high likelihood of missing some variants. Only use detection of disallowed inputs as a mechanism for detecting suspicious activity. Ensure that you are using other protection mechanisms that only identify "good" input - such as lists of allowed inputs - and ensure that you are properly encoding your outputs.
Attackers may be able to find other malicious inputs that were not expected by the developer, allowing them to bypass the intended protection mechanism.
Exploitation of a vulnerability with commonly-used manipulations might fail, but minor variations might succeed.
CVE-2024-6091Chain: AI agent platform does not restrict pathnames containing internal "/./" sequences (CWE-55), leading to an incomplete denylist (CWE-184) that does not prevent OS command injection (CWE-78)
CVE-2024-4315Chain: API for text generation using Large Language Models (LLMs) does not include the "\" Windows folder separator in its denylist (CWE-184) when attempting to prevent Local File Inclusion via path traversal (CWE-22), allowing deletion of arbitrary files on Windows systems.
CVE-2024-44335Chain: filter only checks for some shell-injection characters (CWE-184), enabling OS command injection (CWE-78)
CVE-2008-2309product uses a denylist to identify potentially dangerous content, allowing attacker to bypass a warning
CVE-2005-2782PHP remote file inclusion in web application that filters "http" and "https" URLs, but not "ftp".