CWE-621 Variant Incomplete

Variable Extraction Error

This vulnerability occurs when an application uses unvalidated external input to dynamically select which variables to populate with data. Without proper checks, this can allow an attacker to…

Definition

What is CWE-621?

This vulnerability occurs when an application uses unvalidated external input to dynamically select which variables to populate with data. Without proper checks, this can allow an attacker to overwrite critical internal variables, leading to unexpected behavior or security breaches.
In languages like PHP, functions such as `extract()` or `import_request_variables()` can mimic the dangerous behavior of the deprecated `register_globals` feature if called incorrectly. An attacker can manipulate input to overwrite global variables, including superglobals like `$_SESSION` or `$_GET`, potentially bypassing security controls or altering application logic. This pattern is not exclusive to PHP. Many interpreted languages and custom frameworks offer similar dynamic variable assignment features. Developers must always validate or whitelist which variable names are allowed to be set externally, treating user input as data, not as code that defines the program's structure.
Real-world impact

Real-world CVEs caused by CWE-621

  • CVE-2006-7135

    extract issue enables file inclusion

  • CVE-2006-7079

    Chain: PHP app uses extract for register_globals compatibility layer (CWE-621), enabling path traversal (CWE-22)

  • CVE-2007-0649

    extract() buried in include files makes post-disclosure analysis confusing; original report had seemed incorrect.

  • CVE-2006-6661

    extract() enables static code injection

  • CVE-2006-2828

    import_request_variables() buried in include files makes post-disclosure analysis confusing

How attackers exploit it

Step-by-step attacker path

  1. 1

    Identify a code path that handles untrusted input without validation.

  2. 2

    Craft a payload that exercises the unsafe behavior — injection, traversal, overflow, or logic abuse.

  3. 3

    Deliver the payload through a normal request and observe the application's reaction.

  4. 4

    Iterate until the response leaks data, executes attacker code, or escalates privileges.

Vulnerable code example

Vulnerable PHP

This code uses the credentials sent in a POST request to login a user.

Vulnerable PHP 
```
//Log user in, and set $isAdmin to true if user is an administrator* 
  
  function login($user,$pass){
  ```
  	$query = buildQuery($user,$pass);
  	mysql_query($query);
  	if(getUserRole($user) == "Admin"){
  		$isAdmin = true;
  	}
  }
  $isAdmin = false;
  extract($_POST);
  login(mysql_real_escape_string($user),mysql_real_escape_string($pass));
Secure code example

Secure pseudo

Secure pseudo 
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Prevention checklist

How to prevent CWE-621

  • Implementation Use allowlists of variable names that can be extracted.
  • Implementation Consider refactoring your code to avoid extraction routines altogether.
  • Implementation In PHP, call extract() with options such as EXTR_SKIP and EXTR_PREFIX_ALL; call import_request_variables() with a prefix argument. Note that these capabilities are not present in all PHP versions.
Detection signals

How to detect CWE-621

SAST High

Run static analysis (SAST) on the codebase looking for the unsafe pattern in the data flow.

DAST Moderate

Run dynamic application security testing against the live endpoint.

Runtime Moderate

Watch runtime logs for unusual exception traces, malformed input, or authorization bypass attempts.

Code review Moderate

Code review: flag any new code that handles input from this surface without using the validated framework helpers.

Plexicus auto-fix

Plexicus auto-detects CWE-621 and opens a fix PR in under 60 seconds.

Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.

Get a demo Try Plexicus free
Frequently asked questions

Frequently asked questions

What is CWE-621?

This vulnerability occurs when an application uses unvalidated external input to dynamically select which variables to populate with data. Without proper checks, this can allow an attacker to overwrite critical internal variables, leading to unexpected behavior or security breaches.

How serious is CWE-621?

MITRE has not published a likelihood-of-exploit rating for this weakness. Treat it as medium-impact until your threat model proves otherwise.

What languages or platforms are affected by CWE-621?

MITRE lists the following affected platforms: PHP.

How can I prevent CWE-621?

Use allowlists of variable names that can be extracted. Consider refactoring your code to avoid extraction routines altogether.

How does Plexicus detect and fix CWE-621?

Plexicus's SAST engine matches the data-flow signature for CWE-621 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.

Where can I learn more about CWE-621?

MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/621.html. You can also reference OWASP and NIST documentation for adjacent guidance.

Related weaknesses

Weaknesses related to CWE-621

CWE-914 Parent

Improper Control of Dynamically-Identified Variables

This vulnerability occurs when an application fails to properly secure access to variables whose names are determined at runtime, allowing…

CWE-627 Sibling

Dynamic Variable Evaluation

This vulnerability occurs when an application allows user input to directly determine which variable or function name is used at runtime.…

CWE-471 Can precede

Modification of Assumed-Immutable Data (MAID)

This vulnerability occurs when an application fails to protect data it assumes cannot be changed, allowing an attacker to alter it.

Resources

Further reading

Ready when you are

Don't Let Security
Weigh You Down.

Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.

Get started free Book a demo