Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-646 (依赖于外部提供文件的文件名或扩展名) — Vulnerability Class 9

9 vulnerabilities classified as CWE-646 (依赖于外部提供文件的文件名或扩展名). AI Chinese analysis included.

CWE-646 represents a critical input validation weakness where software trusts user-supplied file names or extensions to dictate processing logic. Attackers typically exploit this by uploading malicious files with deceptive extensions, such as renaming a script to appear as a harmless image, thereby bypassing security controls. Once uploaded, the system misclassifies the file, leading to dangerous execution or storage of executable code. Developers mitigate this risk by implementing strict server-side validation that ignores client-provided metadata. Instead, they should analyze the actual file content using magic numbers or MIME type detection to verify the true file format. Additionally, enforcing allowlists for permitted file types and storing uploads in non-executable directories further reduces the attack surface, ensuring that file handling relies on intrinsic properties rather than easily spoofed external identifiers.

MITRE CWE Description
The product allows a file to be uploaded, but it relies on the file name or extension of the file to determine the appropriate behaviors. This could be used by attackers to cause the file to be misclassified and processed in a dangerous fashion. An application might use the file name or extension of a user-supplied file to determine the proper course of action, such as selecting the correct process to which control should be passed, deciding what data should be made available, or what resources should be allocated. If the attacker can cause the code to misclassify the supplied file, then the wrong action could occur. For example, an attacker could supply a file that ends in a ".php.gif" extension that appears to be a GIF image, but would be processed as PHP code. In extreme cases, code execution is possible, but the attacker could also cause exhaustion of resources, denial of service, exposure of debug or system data (including application source code), or being bound to a particular server side process. This weakness may be due to a vulnerability in any of the technologies used by the web and application servers, due to misconfiguration, or resultant from another flaw in the application itself.
Common Consequences (3)
ConfidentialityRead Application Data
An attacker may be able to read sensitive data.
AvailabilityDoS: Crash, Exit, or Restart
An attacker may be able to cause a denial of service.
Access ControlGain Privileges or Assume Identity
An attacker may be able to gain privileges.
Mitigations (1)
Architecture and DesignMake decisions on the server side based on file content and not on file name or extension.
CVE IDTitleCVSSSeverityPublished
CVE-2026-20172 Cisco Enterprise Chat and Email Lite Agent File Upload Vulnerability — Cisco Enterprise Chat and Email 4.3 Medium2026-05-06
CVE-2025-30662 Zoom Workplace VDI Plugin macOS Universal Installer - Symlink Following — Zoom Workplace VDI Plugin macOS Universal installer 6.6 Medium2025-11-13
CVE-2025-41720 Sauter: Arbitrary File Upload — modulo 6 devices modu680-AS 4.3 Medium2025-10-22
CVE-2025-58449 Maho Vulnerable to Authenticated Remote Code Execution via File Upload — maho 7.2AIHighAI2025-09-08
CVE-2025-1889 picklescan - Security scanning bypass via non-standard file extensions — picklescan 7.5 -2025-03-03
CVE-2024-52052 Stream Target Remote Code Execution in Wowza Streaming Engine — Streaming Engine 7.2AIHighAI2024-11-21
CVE-2024-38432 Matrix – Tafnit v8 CWE-646: Reliance on File Name or Extension of Externally-Supplied File — Tafnit v8 5.5 Medium2024-07-30
CVE-2023-45599 AiLux imx6 安全漏洞 — imx6 bundle 5.5 Medium2024-03-05
CVE-2021-34639 WordPress Download Manager <= 3.1.24 Authenticated Arbitrary File Upload — WordPress Download Manager 7.5 High2021-08-05

Vulnerabilities classified as CWE-646 (依赖于外部提供文件的文件名或扩展名) represent 9 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.