# Mishandling of Exceptional Conditions (A10:2025) A new category containing 24 CWEs focusing on improper error handling, logical errors, failing open, and other scenarios stemming from abnormal conditions that systems may encounter. ## Overview New category for 2025. Focuses on how applications handle errors, edge cases, and exceptional conditions. Improper handling can lead to information disclosure, denial of service, or security control bypass. ## How Attackers Exploit This ### Fail-open bypass Security controls fail open when exceptions occur, allowing unauthorized access when the system encounters unexpected conditions. **Detection signal:** Access granted after system errors, security checks bypassed during high load ### Error-based information disclosure Detailed error messages reveal internal system information, database schemas, or file paths to attackers. **Detection signal:** Stack traces, SQL errors, or file paths in error responses ### Resource exhaustion Triggering exceptional conditions repeatedly causes resource exhaustion or denial of service. **Detection signal:** Repeated requests causing errors, memory or CPU spikes during error handling ## How to Prevent - Implement consistent error handling across the application - Design systems to fail securely (fail closed, not fail open) - Handle all exception types explicitly, never use catch-all silently - Return generic error messages to users, log detailed errors internally - Test error handling paths with invalid, unexpected, and malicious input - Implement timeouts and circuit breakers for external dependencies - Validate assumptions about inputs and system state ## CWEs with Detection Rules (6) - **CWE-209**: Generation of Error Message Containing Sensitive Information (5 rules) [go, javascript, typescript, python] - **CWE-755**: Improper Handling of Exceptional Conditions (4 rules) [go, javascript, typescript, python] - **CWE-235**: Improper Handling of Extra Parameters (2 rules) [javascript, typescript, python] - **CWE-636**: Not Failing Securely ('Failing Open') (2 rules) [go, javascript, typescript] - **CWE-390**: Detection of Error Condition Without Action (1 rules) [javascript, typescript] - **CWE-396**: Declaration of Catch for Generic Exception (1 rules) [python] ## Other Mapped CWEs (18) - CWE-210: CWE-210 - CWE-211: CWE-211 - CWE-230: CWE-230 - CWE-231: CWE-231 - CWE-232: CWE-232 - CWE-233: CWE-233 - CWE-234: CWE-234 - CWE-236: CWE-236 - CWE-237: CWE-237 - CWE-238: CWE-238 - CWE-240: CWE-240 - CWE-241: CWE-241 - CWE-392: CWE-392 - CWE-393: CWE-393 - CWE-395: CWE-395 - CWE-397: CWE-397 - CWE-460: CWE-460 - CWE-584: CWE-584 ## Quick Reference - Total CWEs: 24 - With Shoulder rules: 6 - Detection rules: 15 - Critical rules: 1