CWE-434 Base Draft Medium likelihood

Unrestricted Upload of File with Dangerous Type

This vulnerability occurs when an application accepts file uploads without properly restricting the file types, allowing attackers to upload and execute malicious files on the server.

Definition

What is CWE-434?

This vulnerability occurs when an application accepts file uploads without properly restricting the file types, allowing attackers to upload and execute malicious files on the server.

At its core, this flaw is about trust. Applications often treat uploaded files as safe data, but without strict validation, an attacker can upload a script, executable, or other dangerous file type. When the server stores this file in a web-accessible location and later processes or serves it, the malicious code can execute with the application's own privileges, leading to complete system compromise. To prevent this, developers must implement a multi-layered defense. This includes using an allow-list approach for file extensions, verifying the file's actual content (not just its claimed type), storing uploads outside the web root, and ensuring files are served with secure, non-executable permissions. Relying solely on client-side checks or obscuring upload locations is insufficient, as these are easily bypassed by a determined attacker.

Vulnerability Diagram CWE-434

Real-world impact

Real-world CVEs caused by CWE-434

CVE-2023-5227

PHP-based FAQ management app does not check the MIME type for uploaded images
CVE-2001-0901

Web-based mail product stores ".shtml" attachments that could contain SSI
CVE-2002-1841

PHP upload does not restrict file types
CVE-2005-1868

upload and execution of .php file
CVE-2005-1881

upload file with dangerous extension
CVE-2005-0254

program does not restrict file types
CVE-2004-2262

improper type checking of uploaded files
CVE-2006-4558

Double "php" extension leaves an active php extension in the generated filename.

How attackers exploit it

Step-by-step attacker path

1
The following code intends to allow a user to upload a picture to the web server. The HTML code that drives the form on the user end has an input field of type "file".
2
Once submitted, the form above sends the file to upload_picture.php on the web server. PHP stores the file in a temporary location until it is retrieved (or discarded) by the server side code. In this example, the file is moved to a more permanent pictures/ directory.
3
The problem with the above code is that there is no check regarding type of file being uploaded. Assuming that pictures/ is available in the web document root, an attacker could upload a file with the name:
4
Since this filename ends in ".php" it can be executed by the web server. In the contents of this uploaded file, the attacker could use:
5
Once this file has been installed, the attacker can enter arbitrary commands to execute using a URL such as:

Vulnerable code example

Vulnerable PHP

Once submitted, the form above sends the file to upload_picture.php on the web server. PHP stores the file in a temporary location until it is retrieved (or discarded) by the server side code. In this example, the file is moved to a more permanent pictures/ directory.

Vulnerable PHP

```
// Define the target location where the picture being* 
  
  
   *// uploaded is going to be saved.* 
  $target = "pictures/" . basename($_FILES['uploadedfile']['name']);
  
  
   *// Move the uploaded file to the new location.* 
  if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target))
  {
  ```
  	echo "The picture has been successfully uploaded.";
  }
  else
  {
  	echo "There was an error uploading the picture, please try again.";
  }

Attacker payload

The problem with the above code is that there is no check regarding type of file being uploaded. Assuming that pictures/ is available in the web document root, an attacker could upload a file with the name:

Attacker payload

malicious.php

Secure code example

Secure HTML

The following code intends to allow a user to upload a picture to the web server. The HTML code that drives the form on the user end has an input field of type "file".

Secure HTML

<form action="upload_picture.php" method="post" enctype="multipart/form-data">
  Choose a file to upload:
  <input type="file" name="filename"/>
  <br/>
  <input type="submit" name="submit" value="Submit"/>
  </form>

What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.

Prevention checklist

How to prevent CWE-434

Architecture and Design Generate a new, unique filename for an uploaded file instead of using the user-supplied filename, so that no external input is used at all.[REF-422] [REF-423]
Architecture and Design When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
Architecture and Design Consider storing the uploaded files outside of the web document root entirely. Then, use other mechanisms to deliver the files dynamically. [REF-423]
Implementation Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. For example, limiting filenames to alphanumeric characters can help to restrict the introduction of unintended file extensions.
Architecture and Design Define a very limited set of allowable extensions and only generate filenames that end in these extensions. Consider the possibility of XSS (CWE-79) before allowing .html or .htm file types.
Implementation Ensure that only one extension is used in the filename. Some web servers, including some versions of Apache, may process files based on inner extensions so that "filename.php.gif" is fed to the PHP interpreter.[REF-422] [REF-423]
Implementation When running on a web server that supports case-insensitive filenames, perform case-insensitive evaluations of the extensions that are provided.
Architecture and Design For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Detection signals

How to detect CWE-434

Dynamic Analysis with Automated Results Interpretation SOAR Partial

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Web Application Scanner Web Services Scanner Database Scanners

Dynamic Analysis with Manual Results Interpretation SOAR Partial

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Fuzz Tester Framework-based Fuzzer

Manual Static Analysis - Source Code High

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections)

Automated Static Analysis - Source Code High

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer

Architecture or Design Review High

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Formal Methods / Correct-By-Construction ``` Cost effective for partial coverage: ``` Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)

Plexicus auto-fix

Plexicus auto-detects CWE-434 and opens a fix PR in under 60 seconds.

Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.

Get a demo Try Plexicus free

Frequently asked questions

What is CWE-434?

This vulnerability occurs when an application accepts file uploads without properly restricting the file types, allowing attackers to upload and execute malicious files on the server.

How serious is CWE-434?

MITRE rates the likelihood of exploit as Medium — exploitation is realistic but typically requires specific conditions.

What languages or platforms are affected by CWE-434?

MITRE lists the following affected platforms: ASP.NET, PHP, Web Server.

How can I prevent CWE-434?

Generate a new, unique filename for an uploaded file instead of using the user-supplied filename, so that no external input is used at all.[REF-422] [REF-423] When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.

How does Plexicus detect and fix CWE-434?

Plexicus's SAST engine matches the data-flow signature for CWE-434 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.

Where can I learn more about CWE-434?

MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/434.html. You can also reference OWASP and NIST documentation for adjacent guidance.

Related weaknesses

Weaknesses related to CWE-434

CWE-669 Parent

Don't Let Security
Weigh You Down.

Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.

Unrestricted Upload of File with Dangerous Type

What is CWE-434?

Real-world CVEs caused by CWE-434

Step-by-step attacker path

Vulnerable PHP

Secure HTML

How to prevent CWE-434

How to detect CWE-434

Plexicus auto-detects CWE-434 and opens a fix PR in under 60 seconds.

Frequently asked questions

Weaknesses related to CWE-434

Incorrect Resource Transfer Between Spheres

Exposure of Sensitive Information during Transient Execution

Improper Removal of Sensitive Information Before Storage or Transfer

Creation of chroot Jail Without Changing Working Directory

Download of Code Without Integrity Check

Reliance on Cookies without Validation and Integrity Checking

Inclusion of Functionality from Untrusted Control Sphere

Insufficient Type Distinction

Interpretation Conflict

Further reading

Don't Let Security
Weigh You Down.

Unrestricted Upload of File with Dangerous Type

What is CWE-434?

Real-world CVEs caused by CWE-434

Step-by-step attacker path

Vulnerable PHP

Secure HTML

How to prevent CWE-434

How to detect CWE-434

Plexicus auto-detects CWE-434 and opens a fix PR in under 60 seconds.

Frequently asked questions

Weaknesses related to CWE-434

Incorrect Resource Transfer Between Spheres

Exposure of Sensitive Information during Transient Execution

Improper Removal of Sensitive Information Before Storage or Transfer

Creation of chroot Jail Without Changing Working Directory

Download of Code Without Integrity Check

Reliance on Cookies without Validation and Integrity Checking

Inclusion of Functionality from Untrusted Control Sphere

Insufficient Type Distinction

Interpretation Conflict

Further reading

Don't Let SecurityWeigh You Down.

Don't Let Security
Weigh You Down.