CWE-59
AllowedImproper Link Resolution Before File Access ('Link Following')
Abstraction: Base · Status: Draft
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
1984 vulnerabilities reference this CWE, most recent first.
GHSA-58P9-FWRR-259C
Vulnerability from github – Published: 2022-05-24 17:46 – Updated: 2022-05-24 17:46VestaCP through 0.9.8-24 allows attackers to gain privileges by creating symlinks to files for which they lack permissions. After reading the RKEY value from user.conf under the /usr/local/vesta/data/users/admin directory, the admin password can be changed via a /reset/?action=confirm&user=admin&code= URI. This occurs because chmod is used unsafely.
{
"affected": [],
"aliases": [
"CVE-2021-30463"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-08T14:15:00Z",
"severity": "HIGH"
},
"details": "VestaCP through 0.9.8-24 allows attackers to gain privileges by creating symlinks to files for which they lack permissions. After reading the RKEY value from user.conf under the /usr/local/vesta/data/users/admin directory, the admin password can be changed via a /reset/?action=confirm\u0026user=admin\u0026code= URI. This occurs because chmod is used unsafely.",
"id": "GHSA-58p9-fwrr-259c",
"modified": "2022-05-24T17:46:55Z",
"published": "2022-05-24T17:46:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30463"
},
{
"type": "WEB",
"url": "https://ssd-disclosure.com/ssd-advisory-vestacp-lpe-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-58PW-R2V4-PWJV
Vulnerability from github – Published: 2025-08-08 21:30 – Updated: 2025-11-05 00:317-Zip before 25.01 does not always properly handle symbolic links during extraction.
{
"affected": [],
"aliases": [
"CVE-2025-55188"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-08T21:15:25Z",
"severity": "LOW"
},
"details": "7-Zip before 25.01 does not always properly handle symbolic links during extraction.",
"id": "GHSA-58pw-r2v4-pwjv",
"modified": "2025-11-05T00:31:24Z",
"published": "2025-08-08T21:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55188"
},
{
"type": "WEB",
"url": "https://github.com/ip7z/7zip/compare/25.00...25.01"
},
{
"type": "WEB",
"url": "https://github.com/ip7z/7zip/releases/tag/25.01"
},
{
"type": "WEB",
"url": "https://github.com/lunbun/CVE-2025-55188"
},
{
"type": "WEB",
"url": "https://lunbun.dev/blog/cve-2025-55188"
},
{
"type": "WEB",
"url": "https://sourceforge.net/p/sevenzip/discussion/45797/thread/da14cd780b"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2025/08/09/1"
},
{
"type": "WEB",
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-55188-detect-7-zip-vulnerable-version"
},
{
"type": "WEB",
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-55188-mitigate-7-zip-vulnerability"
},
{
"type": "WEB",
"url": "https://youtu.be/sWT6M1cfnwM"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/08/09/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/08/10/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/08/13/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/10/12/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/10/16/7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-58V9-JF45-V492
Vulnerability from github – Published: 2022-05-24 17:42 – Updated: 2024-04-04 03:04Mumble before 1.3.4 allows remote code execution if a victim navigates to a crafted URL on a server list and clicks on the Open Webpage text.
{
"affected": [],
"aliases": [
"CVE-2021-27229"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-16T04:15:00Z",
"severity": "HIGH"
},
"details": "Mumble before 1.3.4 allows remote code execution if a victim navigates to a crafted URL on a server list and clicks on the Open Webpage text.",
"id": "GHSA-58v9-jf45-v492",
"modified": "2024-04-04T03:04:36Z",
"published": "2022-05-24T17:42:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27229"
},
{
"type": "WEB",
"url": "https://github.com/mumble-voip/mumble/pull/4733"
},
{
"type": "WEB",
"url": "https://github.com/mumble-voip/mumble/commit/e59ee87abe249f345908c7d568f6879d16bfd648"
},
{
"type": "WEB",
"url": "https://github.com/mumble-voip/mumble/compare/1.3.3...1.3.4"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00022.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202105-13"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-58XF-QF7H-M4M6
Vulnerability from github – Published: 2022-05-17 05:53 – Updated: 2022-05-17 05:53nvidia-cg-toolkit-installer in nvidia-cg-toolkit 2.0.0015 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/nvidia-cg-toolkit-manifest temporary file.
{
"affected": [],
"aliases": [
"CVE-2008-5144"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-11-18T16:00:00Z",
"severity": "MODERATE"
},
"details": "nvidia-cg-toolkit-installer in nvidia-cg-toolkit 2.0.0015 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/nvidia-cg-toolkit-manifest temporary file.",
"id": "GHSA-58xf-qf7h-m4m6",
"modified": "2022-05-17T05:53:08Z",
"published": "2022-05-17T05:53:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-5144"
},
{
"type": "WEB",
"url": "http://lists.debian.org/debian-devel/2008/08/msg00285.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/32411"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-5977-VHPG-P3HQ
Vulnerability from github – Published: 2024-05-14 18:31 – Updated: 2024-05-14 18:31Microsoft PLUGScheduler Scheduled Task Elevation of Privilege Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-26238"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T17:15:50Z",
"severity": "HIGH"
},
"details": "Microsoft PLUGScheduler Scheduled Task Elevation of Privilege Vulnerability",
"id": "GHSA-5977-vhpg-p3hq",
"modified": "2024-05-14T18:31:03Z",
"published": "2024-05-14T18:31:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26238"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26238"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-597G-3PHW-6986
Vulnerability from github – Published: 2026-01-13 18:45 – Updated: 2026-01-13 18:45Impact
TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations.
Affected versions: All versions up to and including 20.36.1
Affected users: Any user running virtualenv on multi-user systems where untrusted local users have filesystem access to shared temporary directories or where VIRTUALENV_OVERRIDE_APP_DATA points to a user-writable location.
Attack scenarios: - Cache poisoning: Attacker corrupts wheels or Python metadata in the cache - Information disclosure: Attacker reads sensitive cached data or metadata - Lock bypass: Attacker controls lock file semantics to cause concurrent access violations - Denial of service: Lock starvation preventing virtualenv operations
Patches
The vulnerability has been patched by replacing check-then-act patterns with atomic os.makedirs(..., exist_ok=True) operations.
Fixed in: PR #3013
Versions with the fix: 20.36.2 and later
Users should upgrade to version 20.36.2 or later.
Workarounds
If you cannot upgrade immediately:
- Ensure
VIRTUALENV_OVERRIDE_APP_DATApoints to a directory owned by the current user with restricted permissions (mode 0700) - Avoid running
virtualenvin shared temporary directories where other users have write access - Use separate user accounts for different projects to isolate app_data directories
References
- GitHub PR: https://github.com/pypa/virtualenv/pull/3013
- Vulnerability reported by: @tsigouris007
- CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (TOCTOU)
- CWE-59: Improper Link Resolution Before File Access
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "virtualenv"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "20.36.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-22702"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-13T18:45:57Z",
"nvd_published_at": "2026-01-10T07:16:02Z",
"severity": "MODERATE"
},
"details": "## Impact\n\nTOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in `virtualenv` allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv\u0027s app_data and lock file operations to attacker-controlled locations.\n\n**Affected versions:** All versions up to and including 20.36.1\n\n**Affected users:** Any user running `virtualenv` on multi-user systems where untrusted local users have filesystem access to shared temporary directories or where `VIRTUALENV_OVERRIDE_APP_DATA` points to a user-writable location.\n\n**Attack scenarios:**\n- Cache poisoning: Attacker corrupts wheels or Python metadata in the cache\n- Information disclosure: Attacker reads sensitive cached data or metadata\n- Lock bypass: Attacker controls lock file semantics to cause concurrent access violations\n- Denial of service: Lock starvation preventing virtualenv operations\n\n## Patches\n\nThe vulnerability has been patched by replacing check-then-act patterns with atomic `os.makedirs(..., exist_ok=True)` operations.\n\n**Fixed in:** PR #3013\n\n**Versions with the fix:** 20.36.2 and later\n\nUsers should upgrade to version 20.36.2 or later.\n\n## Workarounds\n\nIf you cannot upgrade immediately:\n\n1. Ensure `VIRTUALENV_OVERRIDE_APP_DATA` points to a directory owned by the current user with restricted permissions (mode 0700)\n2. Avoid running `virtualenv` in shared temporary directories where other users have write access\n3. Use separate user accounts for different projects to isolate app_data directories\n\n## References\n\n- GitHub PR: https://github.com/pypa/virtualenv/pull/3013\n- Vulnerability reported by: @tsigouris007\n- CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (TOCTOU)\n- CWE-59: Improper Link Resolution Before File Access",
"id": "GHSA-597g-3phw-6986",
"modified": "2026-01-13T18:45:57Z",
"published": "2026-01-13T18:45:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pypa/virtualenv/security/advisories/GHSA-597g-3phw-6986"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22702"
},
{
"type": "WEB",
"url": "https://github.com/pypa/virtualenv/pull/3013"
},
{
"type": "WEB",
"url": "https://github.com/pypa/virtualenv/commit/dec4cec5d16edaf83a00a658f32d1e032661cebc"
},
{
"type": "PACKAGE",
"url": "https://github.com/pypa/virtualenv"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "virtualenv Has TOCTOU Vulnerabilities in Directory Creation"
}
GHSA-599W-RMP9-P3VV
Vulnerability from github – Published: 2022-07-07 00:00 – Updated: 2022-07-15 00:00In sound driver, there is a possible information disclosure due to symlink following. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06558663; Issue ID: ALPS06558663.
{
"affected": [],
"aliases": [
"CVE-2022-21770"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-06T14:15:00Z",
"severity": "MODERATE"
},
"details": "In sound driver, there is a possible information disclosure due to symlink following. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06558663; Issue ID: ALPS06558663.",
"id": "GHSA-599w-rmp9-p3vv",
"modified": "2022-07-15T00:00:23Z",
"published": "2022-07-07T00:00:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21770"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/July-2022"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-59PM-697W-V8V8
Vulnerability from github – Published: 2025-10-28 03:30 – Updated: 2025-10-28 03:30A vulnerability was detected in ermig1979 AntiDupl up to 2.3.12. Impacted is an unknown function of the file AntiDupl.NET.WinForms.exe of the component Delete Duplicate Image Handler. The manipulation results in link following. The attack is only possible with local access. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-12341"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-28T01:16:11Z",
"severity": "HIGH"
},
"details": "A vulnerability was detected in ermig1979 AntiDupl up to 2.3.12. Impacted is an unknown function of the file AntiDupl.NET.WinForms.exe of the component Delete Duplicate Image Handler. The manipulation results in link following. The attack is only possible with local access. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-59pm-697w-v8v8",
"modified": "2025-10-28T03:30:19Z",
"published": "2025-10-28T03:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12341"
},
{
"type": "WEB",
"url": "https://drive.google.com/file/d/19jwaqUji6O3U6EAeUMixBM58QTc4qNMQ/view?usp=sharing"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.330127"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.330127"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.674515"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-59WJ-H89P-37X9
Vulnerability from github – Published: 2025-04-01 00:30 – Updated: 2025-11-04 00:32This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Ventura 13.7.5, macOS Sequoia 15.4, macOS Sonoma 14.7.5. A malicious app may be able to create symlinks to protected regions of the disk.
{
"affected": [],
"aliases": [
"CVE-2025-30457"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-31T23:15:27Z",
"severity": "CRITICAL"
},
"details": "This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Ventura 13.7.5, macOS Sequoia 15.4, macOS Sonoma 14.7.5. A malicious app may be able to create symlinks to protected regions of the disk.",
"id": "GHSA-59wj-h89p-37x9",
"modified": "2025-11-04T00:32:24Z",
"published": "2025-04-01T00:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30457"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122373"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122374"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122375"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Apr/10"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Apr/8"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Apr/9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5C52-J627-9MH6
Vulnerability from github – Published: 2022-05-17 04:16 – Updated: 2022-05-17 04:16The Read Mail module in Webmin 1.720 allows local users to read arbitrary files via a symlink attack on an unspecified file.
{
"affected": [],
"aliases": [
"CVE-2015-1377"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2015-02-10T20:59:00Z",
"severity": "MODERATE"
},
"details": "The Read Mail module in Webmin 1.720 allows local users to read arbitrary files via a symlink attack on an unspecified file.",
"id": "GHSA-5c52-j627-9mh6",
"modified": "2022-05-17T04:16:05Z",
"published": "2022-05-17T04:16:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-1377"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/62157"
},
{
"type": "WEB",
"url": "http://www.webmin.com/changes.html"
},
{
"type": "WEB",
"url": "http://www.webmin.com/security.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation MIT-48.1
Strategy: Separation of Privilege
- Follow the principle of least privilege when assigning access rights to entities in a software system.
- Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack
An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.
CAPEC-17: Using Malicious Files
An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.