CWE-59
AllowedImproper Link Resolution Before File Access ('Link Following')
Abstraction: Base · Status: Draft
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
1984 vulnerabilities reference this CWE, most recent first.
GHSA-6HJQ-RGP4-842X
Vulnerability from github – Published: 2025-07-08 09:31 – Updated: 2025-07-08 09:31A low privileged remote attacker with file access can replace a critical file used by the watchdog to get read, write and execute access to any file on the device after the watchdog has been initialized.
{
"affected": [],
"aliases": [
"CVE-2025-41666"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-08T07:15:25Z",
"severity": "HIGH"
},
"details": "A low privileged remote attacker with file access can replace a critical file used by the watchdog to get read, write and execute access to any file on the device after the watchdog has been initialized.",
"id": "GHSA-6hjq-rgp4-842x",
"modified": "2025-07-08T09:31:29Z",
"published": "2025-07-08T09:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41666"
},
{
"type": "WEB",
"url": "https://certvde.com/en/advisories/VDE-2025-054"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6HVX-3MCF-V9XF
Vulnerability from github – Published: 2022-05-01 02:03 – Updated: 2024-01-26 18:30linki.py in ekg 2005-06-05 and earlier allows local users to overwrite or create arbitrary files via a symlink attack on temporary files.
{
"affected": [],
"aliases": [
"CVE-2005-1916"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2005-07-06T04:00:00Z",
"severity": "LOW"
},
"details": "linki.py in ekg 2005-06-05 and earlier allows local users to overwrite or create arbitrary files via a symlink attack on temporary files.",
"id": "GHSA-6hvx-3mcf-v9xf",
"modified": "2024-01-26T18:30:30Z",
"published": "2022-05-01T02:03:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2005-1916"
},
{
"type": "WEB",
"url": "http://marc.info/?l=bugtraq\u0026m=112060146011122\u0026w=2"
},
{
"type": "WEB",
"url": "http://marc.info/?l=bugtraq\u0026m=112198499417250\u0026w=2"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2005/dsa-760"
},
{
"type": "WEB",
"url": "http://www.zataz.net/adviso/ekg-06062005.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6J4P-VQ7V-X6G8
Vulnerability from github – Published: 2022-05-01 23:59 – Updated: 2022-05-01 23:59Unspecified vulnerability in Links before 2.1, when "only proxies" is enabled, has unknown impact and attack vectors related to providing "URLs to external programs."
{
"affected": [],
"aliases": [
"CVE-2008-3329"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-07-27T22:41:00Z",
"severity": "HIGH"
},
"details": "Unspecified vulnerability in Links before 2.1, when \"only proxies\" is enabled, has unknown impact and attack vectors related to providing \"URLs to external programs.\"",
"id": "GHSA-6j4p-vq7v-x6g8",
"modified": "2022-05-01T23:59:10Z",
"published": "2022-05-01T23:59:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-3329"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44035"
},
{
"type": "WEB",
"url": "http://links.twibright.com/download/ChangeLog"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/30422"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-6JCC-G9H6-FGHC
Vulnerability from github – Published: 2025-12-12 21:31 – Updated: 2025-12-15 15:30This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Tahoe 26.1. A malicious app may be able to delete protected user data.
{
"affected": [],
"aliases": [
"CVE-2025-43381"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-12T21:15:53Z",
"severity": "MODERATE"
},
"details": "This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Tahoe 26.1. A malicious app may be able to delete protected user data.",
"id": "GHSA-6jcc-g9h6-fghc",
"modified": "2025-12-15T15:30:30Z",
"published": "2025-12-12T21:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43381"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/125634"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6JCP-4MFR-QVPM
Vulnerability from github – Published: 2022-05-17 05:53 – Updated: 2022-05-17 05:53** DISPUTED ** os-prober in os-prober 1.17 allows local users to overwrite arbitrary files via a symlink attack on the (1) /tmp/mounted-map or (2) /tmp/raided-map temporary file. NOTE: the vendor disputes this issue, stating "the insecure code path should only ever run inside a d-i environment, which has no non-root users."
{
"affected": [],
"aliases": [
"CVE-2008-5135"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-11-18T16:00:00Z",
"severity": "MODERATE"
},
"details": "** DISPUTED ** os-prober in os-prober 1.17 allows local users to overwrite arbitrary files via a symlink attack on the (1) /tmp/mounted-map or (2) /tmp/raided-map temporary file. NOTE: the vendor disputes this issue, stating \"the insecure code path should only ever run inside a d-i environment, which has no non-root users.\"",
"id": "GHSA-6jcp-4mfr-qvpm",
"modified": "2022-05-17T05:53:37Z",
"published": "2022-05-17T05:53:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-5135"
},
{
"type": "WEB",
"url": "http://lists.debian.org/debian-devel/2008/08/msg00285.html"
},
{
"type": "WEB",
"url": "http://lists.debian.org/debian-devel/2008/08/msg00296.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-6JHM-J4GF-HVJX
Vulnerability from github – Published: 2024-11-23 03:31 – Updated: 2024-11-23 03:31Avast Free Antivirus AvastSvc Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Avast Free Antivirus. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the Avast Service. By creating a symbolic link, an attacker can abuse the service to delete a folder. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-22963.
{
"affected": [],
"aliases": [
"CVE-2024-7232"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-22T22:15:15Z",
"severity": "HIGH"
},
"details": "Avast Free Antivirus AvastSvc Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Avast Free Antivirus. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the Avast Service. By creating a symbolic link, an attacker can abuse the service to delete a folder. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-22963.",
"id": "GHSA-6jhm-j4gf-hvjx",
"modified": "2024-11-23T03:31:58Z",
"published": "2024-11-23T03:31:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7232"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1004"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6JR3-PH3X-8Q66
Vulnerability from github – Published: 2022-05-14 00:59 – Updated: 2022-05-14 00:59lxc-start in lxc before 1.0.8 and 1.1.x before 1.1.4 allows local container administrators to escape AppArmor confinement via a symlink attack on a (1) mount target or (2) bind mount source.
{
"affected": [],
"aliases": [
"CVE-2015-1335"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2015-10-01T20:59:00Z",
"severity": "HIGH"
},
"details": "lxc-start in lxc before 1.0.8 and 1.1.x before 1.1.4 allows local container administrators to escape AppArmor confinement via a symlink attack on a (1) mount target or (2) bind mount source.",
"id": "GHSA-6jr3-ph3x-8q66",
"modified": "2022-05-14T00:59:46Z",
"published": "2022-05-14T00:59:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-1335"
},
{
"type": "WEB",
"url": "https://github.com/lxc/lxc/commit/592fd47a6245508b79fe6ac819fe6d3b2c1289be"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662"
},
{
"type": "WEB",
"url": "https://lists.linuxcontainers.org/pipermail/lxc-devel/2015-September/012434.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-November/170045.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-November/171358.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-November/171364.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00073.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2015-10/msg00023.html"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2015/dsa-3400"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2015/09/29/4"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/76894"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2753-1"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-6M5P-MV69-2WFH
Vulnerability from github – Published: 2024-12-17 12:31 – Updated: 2024-12-17 12:31Dell AppSync, version 4.6.0.x, contain a Symbolic Link (Symlink) Following vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to information tampering.
{
"affected": [],
"aliases": [
"CVE-2024-52542"
],
"database_specific": {
"cwe_ids": [
"CWE-59",
"CWE-61"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-17T12:15:20Z",
"severity": "MODERATE"
},
"details": "Dell AppSync, version 4.6.0.x, contain a Symbolic Link (Symlink) Following vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to information tampering.",
"id": "GHSA-6m5p-mv69-2wfh",
"modified": "2024-12-17T12:31:40Z",
"published": "2024-12-17T12:31:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52542"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000261039/dsa-2024-496-security-update-for-dell-appsync-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-6M84-667V-M265
Vulnerability from github – Published: 2022-05-01 23:34 – Updated: 2022-05-01 23:34w_editeur.c in XWine 1.0.1 for Debian GNU/Linux allows local users to overwrite or print arbitrary files via a symlink attack on the temporaire temporary file. NOTE: some of these details are obtained from third party information.
{
"affected": [],
"aliases": [
"CVE-2008-0930"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-03-04T00:44:00Z",
"severity": "HIGH"
},
"details": "w_editeur.c in XWine 1.0.1 for Debian GNU/Linux allows local users to overwrite or print arbitrary files via a symlink attack on the temporaire temporary file. NOTE: some of these details are obtained from third party information.",
"id": "GHSA-6m84-667v-m265",
"modified": "2022-05-01T23:34:48Z",
"published": "2022-05-01T23:34:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-0930"
},
{
"type": "WEB",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=468050"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/29125"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/29452"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2008/dsa-1526"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/28049"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-6MH8-R4FC-H3CH
Vulnerability from github – Published: 2022-05-17 01:17 – Updated: 2022-05-17 01:17php-fpm allows local users to write to or create arbitrary files via a symlink attack.
{
"affected": [],
"aliases": [
"CVE-2015-3211"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-25T18:29:00Z",
"severity": "MODERATE"
},
"details": "php-fpm allows local users to write to or create arbitrary files via a symlink attack.",
"id": "GHSA-6mh8-r4fc-h3ch",
"modified": "2022-05-17T01:17:01Z",
"published": "2022-05-17T01:17:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3211"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1228721"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-48.1
Strategy: Separation of Privilege
- Follow the principle of least privilege when assigning access rights to entities in a software system.
- Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack
An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.
CAPEC-17: Using Malicious Files
An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.