Unrestricted Upload of File with Dangerous Type
Accepting arbitrary file uploads without validating type, size, or content, letting an attacker upload a .php, .jsp, or malicious binary.
GateTest coverage
Caught by: security
Example
app.post('/upload', upload.single('file'), (req, res) => { fs.writeFileSync('./public/' + req.file.originalname, req.file.buffer) })How to fix it
Validate MIME type AND file magic-bytes (don't trust the extension). Store outside the web root. Rename to a hash on save. Set a strict size limit. Never serve uploads from a directory where they can be executed.
Scan your repo for CWE-434
Free preview of findings. Pay per scan — no subscription. AI auto-fix PR included on the Scan + Fix tier.
Frequently asked questions
What is CWE-434 (Unrestricted Upload of File with Dangerous Type)?
Accepting arbitrary file uploads without validating type, size, or content, letting an attacker upload a .php, .jsp, or malicious binary.
How do I fix unrestricted upload of file with dangerous type?
Validate MIME type AND file magic-bytes (don't trust the extension). Store outside the web root. Rename to a hash on save. Set a strict size limit. Never serve uploads from a directory where they can be executed.
Does GateTest detect unrestricted upload of file with dangerous type?
Yes — GateTest's security module catch this class. Findings appear in the standard scan output with file and line numbers. On Scan + Fix and Forensic Scan tiers, Claude opens a pull request with the fix.
What rank is Unrestricted Upload of File with Dangerous Type in the CWE Top 25?
Unrestricted Upload of File with Dangerous Type is ranked #10 in the MITRE 2023 CWE Top 25 Most Dangerous Software Weaknesses list. The ranking reflects both prevalence (how often it appears in real CVEs) and severity (the typical impact when it's exploited).