CWE-59
AllowedImproper Link Resolution Before File Access ('Link Following')
Abstraction: Base · Status: Draft
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
1983 vulnerabilities reference this CWE, most recent first.
GHSA-X9MV-RGR7-FXHP
Vulnerability from github – Published: 2026-05-21 09:32 – Updated: 2026-05-21 09:32An improper link resolution vulnerability in Netatalk 3.0.2 through 4.4.2 allows a remote authenticated attacker to read arbitrary files or overwrite arbitrary files via attacker-controlled symlink creation.
{
"affected": [],
"aliases": [
"CVE-2026-44051"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-21T08:16:20Z",
"severity": "HIGH"
},
"details": "An improper link resolution vulnerability in Netatalk 3.0.2 through 4.4.2 allows a remote authenticated attacker to read arbitrary files or overwrite arbitrary files via attacker-controlled symlink creation.",
"id": "GHSA-x9mv-rgr7-fxhp",
"modified": "2026-05-21T09:32:08Z",
"published": "2026-05-21T09:32:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44051"
},
{
"type": "WEB",
"url": "https://netatalk.io/security/CVE-2026-44051"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XC75-CC6Q-49FG
Vulnerability from github – Published: 2025-05-30 00:31 – Updated: 2025-05-31 00:30This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Ventura 13.7.5, macOS Sequoia 15.4, macOS Sonoma 14.7.5. A path handling issue was addressed with improved validation.
{
"affected": [],
"aliases": [
"CVE-2025-31198"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-29T22:15:21Z",
"severity": "MODERATE"
},
"details": "This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Ventura 13.7.5, macOS Sequoia 15.4, macOS Sonoma 14.7.5. A path handling issue was addressed with improved validation.",
"id": "GHSA-xc75-cc6q-49fg",
"modified": "2025-05-31T00:30:28Z",
"published": "2025-05-30T00:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31198"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122373"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122374"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122375"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XCM7-PMG9-8WJQ
Vulnerability from github – Published: 2026-07-08 21:30 – Updated: 2026-07-08 21:30The consul-template library before version 0.42.1 is vulnerable to a path redirection issue in the writeToFile template helper that may allow template output to be written outside the intended directory or to overwrite an existing file. This vulnerability (CVE-2026-14361) is fixed in consul-template 0.42.1.
{
"affected": [],
"aliases": [
"CVE-2026-14361"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-08T20:16:47Z",
"severity": "MODERATE"
},
"details": "The consul-template library before version 0.42.1 is vulnerable to a path redirection issue in the writeToFile template helper that may allow template output to be written outside the intended directory or to overwrite an existing file. This vulnerability (CVE-2026-14361) is fixed in consul-template 0.42.1.",
"id": "GHSA-xcm7-pmg9-8wjq",
"modified": "2026-07-08T21:30:27Z",
"published": "2026-07-08T21:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14361"
},
{
"type": "WEB",
"url": "https://discuss.hashicorp.com/t/hcsec-2026-20-consul-template-vulnerable-to-path-redirections-in-writetofile/77559"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XF75-659H-CGG5
Vulnerability from github – Published: 2026-04-22 18:31 – Updated: 2026-04-29 22:58A vulnerability in the tail utility of uutils coreutils allows for the exfiltration of sensitive file contents when using the --follow=name option. Unlike GNU tail, the uutils implementation continues to monitor a path after it has been replaced by a symbolic link, subsequently outputting the contents of the link's target. In environments where a privileged user (e.g., root) monitors a log directory, a local attacker with write access to that directory can replace a log file with a symlink to a sensitive system file (such as /etc/shadow), causing tail to disclose the contents of the sensitive file.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "coreutils"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35345"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-29T22:58:55Z",
"nvd_published_at": "2026-04-22T17:16:36Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the tail utility of uutils coreutils allows for the exfiltration of sensitive file contents when using the --follow=name option. Unlike GNU tail, the uutils implementation continues to monitor a path after it has been replaced by a symbolic link, subsequently outputting the contents of the link\u0027s target. In environments where a privileged user (e.g., root) monitors a log directory, a local attacker with write access to that directory can replace a log file with a symlink to a sensitive system file (such as /etc/shadow), causing tail to disclose the contents of the sensitive file.",
"id": "GHSA-xf75-659h-cgg5",
"modified": "2026-04-29T22:58:55Z",
"published": "2026-04-22T18:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35345"
},
{
"type": "WEB",
"url": "https://github.com/uutils/coreutils/issues/10328"
},
{
"type": "PACKAGE",
"url": "https://github.com/uutils/coreutils"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "uutils coreutils has a Link Following Issue"
}
GHSA-XF7W-R453-M56C
Vulnerability from github – Published: 2019-05-30 17:19 – Updated: 2021-08-04 20:12Versions of fstream prior to 1.0.12 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file. The fstream.DirWriter() function is vulnerable.
Recommendation
Upgrade to version 1.0.12 or later.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "fstream"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-13173"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2019-05-30T17:17:33Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Versions of `fstream` prior to 1.0.12 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system and a file that matches the hardlink will overwrite the system\u0027s file with the contents of the extracted file. The `fstream.DirWriter()` function is vulnerable.\n\n\n## Recommendation\n\nUpgrade to version 1.0.12 or later.",
"id": "GHSA-xf7w-r453-m56c",
"modified": "2021-08-04T20:12:16Z",
"published": "2019-05-30T17:19:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13173"
},
{
"type": "WEB",
"url": "https://github.com/npm/fstream/commit/6a77d2fa6e1462693cf8e46f930da96ec1b0bb22"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4123-1"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/886"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00010.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00052.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Arbitrary File Overwrite in fstream"
}
GHSA-XFWG-78FH-5FCQ
Vulnerability from github – Published: 2022-05-17 05:53 – Updated: 2022-05-17 05:53ip-up in ppp-udeb 2.4.4rel on Debian GNU/Linux allows local users to overwrite arbitrary files via a symlink attack on the /tmp/resolv.conf.tmp temporary file.
{
"affected": [],
"aliases": [
"CVE-2008-5367"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-12-08T23:30:00Z",
"severity": "MODERATE"
},
"details": "ip-up in ppp-udeb 2.4.4rel on Debian GNU/Linux allows local users to overwrite arbitrary files via a symlink attack on the /tmp/resolv.conf.tmp temporary file.",
"id": "GHSA-xfwg-78fh-5fcq",
"modified": "2022-05-17T05:53:18Z",
"published": "2022-05-17T05:53:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-5367"
},
{
"type": "WEB",
"url": "http://lists.debian.org/debian-devel/2008/08/msg00283.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-XG84-CH2X-H237
Vulnerability from github – Published: 2022-05-24 17:40 – Updated: 2024-04-04 03:04OnCommand Unified Manager Core Package versions prior to 5.2.5 may disclose sensitive account information to unauthorized users via the use of PuTTY Link (plink).
{
"affected": [],
"aliases": [
"CVE-2020-8585"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-28T21:15:00Z",
"severity": "MODERATE"
},
"details": "OnCommand Unified Manager Core Package versions prior to 5.2.5 may disclose sensitive account information to unauthorized users via the use of PuTTY Link (plink).",
"id": "GHSA-xg84-ch2x-h237",
"modified": "2024-04-04T03:04:23Z",
"published": "2022-05-24T17:40:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8585"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/NTAP-20210128-0001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XG92-G8H7-V7R4
Vulnerability from github – Published: 2022-05-17 00:17 – Updated: 2024-04-01 18:30The Debian pg_ctlcluster, pg_createcluster, and pg_upgradecluster scripts, as distributed in the Debian postgresql-common package before 181+deb9u1 for PostgreSQL (and other packages related to Debian and Ubuntu), handled symbolic links insecurely, which could result in local denial of service by overwriting arbitrary files.
{
"affected": [],
"aliases": [
"CVE-2017-8806"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-11-13T09:29:00Z",
"severity": "MODERATE"
},
"details": "The Debian pg_ctlcluster, pg_createcluster, and pg_upgradecluster scripts, as distributed in the Debian postgresql-common package before 181+deb9u1 for PostgreSQL (and other packages related to Debian and Ubuntu), handled symbolic links insecurely, which could result in local denial of service by overwriting arbitrary files.",
"id": "GHSA-xg92-g8h7-v7r4",
"modified": "2024-04-01T18:30:52Z",
"published": "2022-05-17T00:17:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8806"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/usn/usn-3476-1"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2017/dsa-4029"
},
{
"type": "WEB",
"url": "http://metadata.ftp-master.debian.org/changelogs/main/p/postgresql-common/postgresql-common_181+deb9u1_changelog"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/101810"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XGPJ-R9F2-8GHW
Vulnerability from github – Published: 2022-05-14 02:56 – Updated: 2022-05-14 02:56mtx-changer.Adic-Scalar-24 in bacula-common 2.4.2 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/mtx.##### temporary file, probably a related issue to CVE-2005-2995.
{
"affected": [],
"aliases": [
"CVE-2008-5373"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-12-08T23:30:00Z",
"severity": "MODERATE"
},
"details": "mtx-changer.Adic-Scalar-24 in bacula-common 2.4.2 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/mtx.##### temporary file, probably a related issue to CVE-2005-2995.",
"id": "GHSA-xgpj-r9f2-8ghw",
"modified": "2022-05-14T02:56:39Z",
"published": "2022-05-14T02:56:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-5373"
},
{
"type": "WEB",
"url": "http://lists.debian.org/debian-devel/2008/08/msg00347.html"
},
{
"type": "WEB",
"url": "http://uvw.ru/report.sid.txt"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-XH33-X4FQ-3R2H
Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2022-05-13 01:38A privilege escalation vulnerability was found in nagios 4.2.x that occurs in daemon-init.in when creating necessary files and insecurely changing the ownership afterwards. It's possible for the local attacker to create symbolic links before the files are to be created and possibly escalating the privileges with the ownership change.
{
"affected": [],
"aliases": [
"CVE-2016-8641"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-08-01T14:29:00Z",
"severity": "HIGH"
},
"details": "A privilege escalation vulnerability was found in nagios 4.2.x that occurs in daemon-init.in when creating necessary files and insecurely changing the ownership afterwards. It\u0027s possible for the local attacker to create symbolic links before the files are to be created and possibly escalating the privileges with the ownership change.",
"id": "GHSA-xh33-x4fq-3r2h",
"modified": "2022-05-13T01:38:38Z",
"published": "2022-05-13T01:38:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8641"
},
{
"type": "WEB",
"url": "https://github.com/NagiosEnterprises/nagioscore/commit/f2ed227673d3b2da643eb5cad26b2d87674f28c1.patch"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8641"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201702-26"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/40774"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/95121"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-48.1
Strategy: Separation of Privilege
- Follow the principle of least privilege when assigning access rights to entities in a software system.
- Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack
An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.
CAPEC-17: Using Malicious Files
An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.