OWASP A10 · Mishandling of Exceptional ConditionsCWE-703 Improper Check of Exceptional ConditionsHigh
Fail-open auth — the exception that grants access
An auth check that throws on error and is caught into 'allow' silently opens the door.
What happened
OWASP 2025 added 'Mishandling of Exceptional Conditions' as its own category (24 CWEs). The classic instance: an authorization check that talks to a token service, the service errors, the catch block logs and continues, and the request proceeds as if authorized. The system fails open instead of closed.
The code
✕ Vulnerable — Error handling
try {
const ok = await authz.check(user, resource);
if (!ok) return deny();
} catch (e) {
log.warn("authz check failed", e); // and then... falls through
}
return handle(req); // reached on ANY error → access granted✓ Fixed — Error handling
try {
const ok = await authz.check(user, resource);
if (!ok) return deny();
} catch (e) {
log.error("authz check failed — failing closed", e);
return deny(); // fail CLOSED: an error is a denial, never an allow
}
return handle(req);References
Educational case study. The "vulnerable" snippet is a minimal teaching example, not a working exploit. Benteng · a Palu Gada tool.