Variant weakness
Log in
The PHP application uses an old method for processing uploaded files by referencing the four global variables that are set for each file (e.g. $varname, $varname_size, $varname_name, $varname_type). These variables could be overwritten by attackers, causing the application to process unauthorized files.
Last updated
These global variables could be overwritten by POST requests, cookies, or other methods of populating or overwriting these variables. This could be used to read or process arbitrary files by providing values such as "/etc/passwd".
6 recorded CVEs are caused by CWE-616 (Incomplete Identification of Uploaded File Variables (PHP)). The highest-severity and most recent are shown first. 1 new CWE-616 CVE has been recorded so far in 2026 (2 in 2025).
What can happen when CWE-616 is exploited.
Read Files or Directories, Modify Files or Directories
Affects: Confidentiality, Integrity
Typically introduced during these phases of the software lifecycle.
Languages
Practical mitigations for CWE-616, grouped by where in the lifecycle they apply.
Use PHP 4 or later.
If you must support older PHP versions, write your own version of is_uploaded_file() and run it against $HTTP_POST_FILES['userfile']))
For later PHP versions, reference uploaded files using the $HTTP_POST_FILES or $_FILES variables, and use is_uploaded_file() or move_uploaded_file() to ensure that you are dealing with an uploaded file.
Illustrative examples from MITRE showing how the weakness appears in code.
As of 2006, the "four globals" method is probably in sharp decline, but older PHP applications could have this issue.
Vulnerable example
$varname = name of the temporary file on local machineIn the "four globals" method, PHP sets the following 4 global variables (where "varname" is application-dependent):
"The global $_FILES exists as of PHP 4.1.0 (Use $HTTP_POST_FILES instead if using an earlier version). These arrays will contain all the uploaded file information."
Vulnerable example
$_FILES['userfile']['name'] - original filename from client** note: 'userfile' is the field name from the web form; this can vary.
Real CVEs that MITRE cites as examples of this weakness.
Common questions about CWE-616.
The PHP application uses an old method for processing uploaded files by referencing the four global variables that are set for each file (e.g. $varname, $varname_size, $varname_name, $varname_type). These variables could be overwritten by attackers, causing the application to process unauthorized files.
6 recorded CVEs are attributed to CWE-616, including CVE-2025-67084, CVE-2024-31601, CVE-2024-29858.
Use PHP 4 or later.
Exploiting CWE-616 can lead to: Read Files or Directories, Modify Files or Directories.
6 recorded CVEs are caused by CWE-616; none are currently in CISA's KEV catalog of actively exploited flaws.
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Get alerted the moment a new CWE-616 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.