CWE-434 Unrestricted File Upload
Coverage: 1 rule in the SiteShadow rule registry targets this CWE (registry v2.0.0). Other-pattern 1 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.
What this means
SiteShadow flagged a file upload flow where the system accepts files without strong validation and isolation. Attackers can upload unexpected file types, oversized files, or content designed to be executed or served back to users.
Why it matters
Attackers can upload executable content or malware.
- RCE risk if uploaded files can be executed (e.g., server-side scripts) or parsed unsafely.
- Stored XSS if user-uploaded HTML/SVG is served back without sanitization.
- DoS / cost blowups from huge uploads or decompression bombs.
Safer examples
1) Use strict allowlists (type + content)
- Validate MIME type and file signatures (not just extension).
- Allowlist specific types (e.g.,
image/png,image/jpeg).
2) Store uploads safely
- Store outside the web root.
- Use random filenames and separate buckets/containers per risk level.
- Serve via a dedicated file service with correct
Content-TypeandContent-Disposition.
3) Enforce size limits and scanning
- Request size limits
- Antivirus/malware scanning for certain workflows
- Strip metadata for images when appropriate
How SiteShadow detects it (high level)
- Identifies upload handlers and checks for missing allowlists, missing size limits, and risky file serving patterns.
- Flags when uploaded content is served directly back to users without safety controls.
References
- CWE-434: https://cwe.mitre.org/data/definitions/434.html
---
← Back to Vulnerability Library
Catch this with SiteShadow Pro.
This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.