CWE-59
AllowedImproper Link Resolution Before File Access ('Link Following')
Abstraction: Base · Status: Draft
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
1990 vulnerabilities reference this CWE, most recent first.
GHSA-M3RX-6QWW-MHM3
Vulnerability from github – Published: 2025-05-23 00:30 – Updated: 2025-05-23 00:30Improper link resolution before file access ('link following') in Microsoft Edge (Chromium-based) allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2025-47181"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-22T22:15:30Z",
"severity": "HIGH"
},
"details": "Improper link resolution before file access (\u0027link following\u0027) in Microsoft Edge (Chromium-based) allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-m3rx-6qww-mhm3",
"modified": "2025-05-23T00:30:19Z",
"published": "2025-05-23T00:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47181"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47181"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M3XJ-59H7-GGX6
Vulnerability from github – Published: 2022-05-13 01:28 – Updated: 2022-05-13 01:28The installer in PEAR 1.9.2 and earlier allows local users to overwrite arbitrary files via a symlink attack on the package.xml file, related to the (1) download_dir, (2) cache_dir, (3) tmp_dir, and (4) pear-build-download directories. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1072.
{
"affected": [],
"aliases": [
"CVE-2011-1144"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2011-03-03T01:00:00Z",
"severity": "LOW"
},
"details": "The installer in PEAR 1.9.2 and earlier allows local users to overwrite arbitrary files via a symlink attack on the package.xml file, related to the (1) download_dir, (2) cache_dir, (3) tmp_dir, and (4) pear-build-download directories. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1072.",
"id": "GHSA-m3xj-59h7-ggx6",
"modified": "2022-05-13T01:28:46Z",
"published": "2022-05-13T01:28:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1144"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/65911"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2011/02/28/5"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2011/03/01/4"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2011/03/01/5"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2011/03/01/7"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2011/03/01/8"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2011/03/01/9"
},
{
"type": "WEB",
"url": "http://pear.php.net/bugs/bug.php?id=18056"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-M3XJ-MR5Q-CH25
Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2022-05-24 19:05It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-17 package apport hooks, it could expose private data to other local users.
{
"affected": [],
"aliases": [
"CVE-2021-32553"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-12T04:15:00Z",
"severity": "MODERATE"
},
"details": "It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-17 package apport hooks, it could expose private data to other local users.",
"id": "GHSA-m3xj-mr5q-ch25",
"modified": "2022-05-24T19:05:15Z",
"published": "2022-05-24T19:05:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32553"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1917904"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-M43V-GRHW-R4H4
Vulnerability from github – Published: 2026-02-03 18:30 – Updated: 2026-02-05 15:31The ORICO NAS CD3510 (version V1.9.12 and below) contains an Incorrect Symlink Follow vulnerability that could be exploited by attackers to leak or tamper with the internal file system. Attackers can format a USB drive to ext4, create a symbolic link to its root directory, insert the drive into the NAS device's slot, then access the USB drive's symlink directory mounted on the NAS to obtain all files within the NAS system and tamper with those files.
{
"affected": [],
"aliases": [
"CVE-2025-69429"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-03T18:16:16Z",
"severity": "HIGH"
},
"details": "The ORICO NAS CD3510 (version V1.9.12 and below) contains an Incorrect Symlink Follow vulnerability that could be exploited by attackers to leak or tamper with the internal file system. Attackers can format a USB drive to ext4, create a symbolic link to its root directory, insert the drive into the NAS device\u0027s slot, then access the USB drive\u0027s symlink directory mounted on the NAS to obtain all files within the NAS system and tamper with those files.",
"id": "GHSA-m43v-grhw-r4h4",
"modified": "2026-02-05T15:31:09Z",
"published": "2026-02-03T18:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69429"
},
{
"type": "WEB",
"url": "https://www.notion.so/ORICO-NAS-Incorrect-Symlink-Follow-2c36cf4e528a80b7bf0be4dcac758419?source=copy_link"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M49R-9XJ2-M9Q5
Vulnerability from github – Published: 2024-11-23 03:31 – Updated: 2024-11-23 03:31VIPRE Advanced Security SBAMSvc Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of VIPRE Advanced Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the Anti Malware Service. By creating a symbolic link, an attacker can abuse the service to delete a file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-22238.
{
"affected": [],
"aliases": [
"CVE-2024-7238"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-22T22:15:16Z",
"severity": "HIGH"
},
"details": "VIPRE Advanced Security SBAMSvc Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of VIPRE Advanced Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the Anti Malware Service. By creating a symbolic link, an attacker can abuse the service to delete a file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-22238.",
"id": "GHSA-m49r-9xj2-m9q5",
"modified": "2024-11-23T03:31:58Z",
"published": "2024-11-23T03:31:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7238"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1011"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M4QV-HJ8Q-QX52
Vulnerability from github – Published: 2022-01-12 00:00 – Updated: 2024-11-14 21:31Windows User Profile Service Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21919.
{
"affected": [],
"aliases": [
"CVE-2022-21895"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-11T21:15:00Z",
"severity": "HIGH"
},
"details": "Windows User Profile Service Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21919.",
"id": "GHSA-m4qv-hj8q-qx52",
"modified": "2024-11-14T21:31:49Z",
"published": "2022-01-12T00:00:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21895"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21895"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21895"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-050"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M543-3MP9-RFGF
Vulnerability from github – Published: 2022-05-24 19:07 – Updated: 2022-07-03 00:00A vulnerability in share_link in QSAN Storage Manager allows remote attackers to create a symbolic link then access arbitrary files.
{
"affected": [],
"aliases": [
"CVE-2021-32518"
],
"database_specific": {
"cwe_ids": [
"CWE-59",
"CWE-61"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-07T14:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in share_link in QSAN Storage Manager allows remote attackers to create a symbolic link then access arbitrary files.",
"id": "GHSA-m543-3mp9-rfgf",
"modified": "2022-07-03T00:00:23Z",
"published": "2022-05-24T19:07:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32518"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-4874-79edc-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M545-63MF-QH6W
Vulnerability from github – Published: 2022-05-17 01:54 – Updated: 2022-05-17 01:54The do_dump_data function in utils/opcontrol in OProfile 0.9.6 and earlier might allow local users to create or overwrite arbitrary files via a crafted --session-dir argument in conjunction with a symlink attack on the opd_pipe file, a different vulnerability than CVE-2011-1760.
{
"affected": [],
"aliases": [
"CVE-2011-2473"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2011-06-09T21:55:00Z",
"severity": "MODERATE"
},
"details": "The do_dump_data function in utils/opcontrol in OProfile 0.9.6 and earlier might allow local users to create or overwrite arbitrary files via a crafted --session-dir argument in conjunction with a symlink attack on the opd_pipe file, a different vulnerability than CVE-2011-1760.",
"id": "GHSA-m545-63mf-qh6w",
"modified": "2022-05-17T01:54:56Z",
"published": "2022-05-17T01:54:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-2473"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67978"
},
{
"type": "WEB",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=624212"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2011/05/03/1"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2011/05/10/6"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2011/05/10/7"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2011/05/11/1"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2011/dsa-2254"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-M5CG-XH84-2P2R
Vulnerability from github – Published: 2022-05-02 06:10 – Updated: 2025-04-11 03:31Bournal before 1.4.1 allows local users to overwrite arbitrary files via a symlink attack on unspecified temporary files associated with a --hack_the_gibson update check.
{
"affected": [],
"aliases": [
"CVE-2010-0118"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2010-02-25T00:30:00Z",
"severity": "LOW"
},
"details": "Bournal before 1.4.1 allows local users to overwrite arbitrary files via a symlink attack on unspecified temporary files associated with a --hack_the_gibson update check.",
"id": "GHSA-m5cg-xh84-2p2r",
"modified": "2025-04-11T03:31:46Z",
"published": "2022-05-02T06:10:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2010-0118"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-March/036697.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-March/036701.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-March/036764.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/38554"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/38814"
},
{
"type": "WEB",
"url": "http://secunia.com/secunia_research/2010-6"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/509685/100/0/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/38353"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-M5F7-XX8H-V9X2
Vulnerability from github – Published: 2022-05-17 02:18 – Updated: 2022-05-17 02:18geo-code in gpsdrive-scripts 2.10~pre4 allows local users to overwrite arbitrary files via a symlink attack on (1) /tmp/geo.google, (2) /tmp/geo.yahoo, (3) /tmp/geo.coords, and (4) /tmp/geo#####.coords temporary files.
{
"affected": [],
"aliases": [
"CVE-2008-4959"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-11-05T15:00:00Z",
"severity": "MODERATE"
},
"details": "geo-code in gpsdrive-scripts 2.10~pre4 allows local users to overwrite arbitrary files via a symlink attack on (1) /tmp/geo.google, (2) /tmp/geo.yahoo, (3) /tmp/geo.coords, and (4) /tmp/geo#####.coords temporary files.",
"id": "GHSA-m5f7-xx8h-v9x2",
"modified": "2022-05-17T02:18:32Z",
"published": "2022-05-17T02:18:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-4959"
},
{
"type": "WEB",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=235770"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44759"
},
{
"type": "WEB",
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-February/msg00187.html"
},
{
"type": "WEB",
"url": "http://bugs.debian.org/496436"
},
{
"type": "WEB",
"url": "http://dev.gentoo.org/~rbu/security/debiantemp/gpsdrive-scripts"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/31694"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/33825"
},
{
"type": "WEB",
"url": "http://uvw.ru/report.lenny.txt"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2008/10/30/2"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/30905"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation MIT-48.1
Strategy: Separation of Privilege
- Follow the principle of least privilege when assigning access rights to entities in a software system.
- Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack
An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.
CAPEC-17: Using Malicious Files
An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.