logo

Null Byte Interaction Error (Poison Null Byte)

Draft Variant
Structure: Simple
Description

The product does not properly handle null bytes or NUL characters when passing data between different representations or components.

Extended Description

A null byte (NUL character) can have different meanings across representations or languages. For example, it is a string terminator in standard C libraries, but Perl and PHP strings do not treat it as a terminator. When two representations are crossed - such as when Perl or PHP invokes underlying C functionality - this can produce an interaction error with unexpected results. Similar issues have been reported for ASP. Other interpreters written in C might also be affected. The poison null byte is frequently useful in path traversal attacks by terminating hard-coded extensions that are added to a filename. It can play a role in regular expression processing in PHP.

Common Consequences 1
Scope: Integrity

Impact: Unexpected State
Potential Mitigations 1
Phase: Implementation
Remove null bytes from all incoming strings.
Observed Examples 2
CVE-2005-4155NUL byte bypasses PHP regular expression check
CVE-2005-3153inserting SQL after a NUL byte bypasses allowlist regexp, enabling SQL injection
References 3
Perl CGI problems
Rain Forest Puppy
Phrack
09-09-1999
https://phrack.org/issues/55/7(2025-07-24)
ID: REF-514
0x00 vs ASP file upload scripts
Brett Moore
http://www.security-assessment.com/Whitepapers/0x00_vs_ASP_File_Uploads.pdf
ID: REF-515
ShAnKaR: multiple PHP application poison NULL byte vulnerability
ShAnKaR
https://seclists.org/fulldisclosure/2006/Sep/185(2023-04-07)
ID: REF-516
Applicable Platforms
Languages:
PHP : UndeterminedPerl : UndeterminedASP.NET : Undetermined
Modes of Introduction
Implementation
Related Weaknesses
ChildOf: Improper Neutralization of Input Terminators (CWE-147)
ChildOf: Interpretation Conflict (CWE-436)
Notes
TerminologyCurrent usage of "poison null byte" is typically related to this C/Perl/PHP interaction error, but the original term in 1998 was applied to an off-by-one buffer overflow involving a null byte.
Research GapThere are not many CVE examples, because the poison NULL byte is a design limitation, which typically is not included in CVE by itself. It is typically used as a facilitator manipulation to widen the scope of potential attacks against other vulnerabilities.