CWE-434β€”Unrestricted Upload of File with Dangerous Type

PUBLISHEDweakness recordMedium
released 2006-07-19 Β· last modified 2026-04-30
CWE-434 - Unrestricted Upload of File with Dangerous Type - Diagram

Metadata

CWE ID:
CWE-434
Abstraction:
Base
Structure:
Simple
Status:
Draft
Release Date:
2006-07-19
Latest Modification Date:
2026-04-30

Weakness Name

Unrestricted Upload of File with Dangerous Type

Description

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Common Consequences

Scope:
Integrity, Confidentiality, Availability
Impact:
Execute Unauthorized Code or Commands
Notes:
Arbitrary code execution is possible if an uploaded file is interpreted and executed as code by the recipient. This is especially true for web-server extensions such as .asp and .php because these file types are often treated as automatically executable, even when file system permissions do not specify execution. For example, in Unix environments, programs typically cannot run unless the execute bit is set, but PHP programs may be executed by the web server without directly invoking them on the operating system.

Related Weaknesses