Common Weakness Enumeration

CWE-59

Allowed

Improper Link Resolution Before File Access ('Link Following')

Abstraction: Base · Status: Draft

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

1983 vulnerabilities reference this CWE, most recent first.

GHSA-XM9P-Q7G6-FM6P

Vulnerability from github – Published: 2022-05-17 02:17 – Updated: 2022-05-17 02:17
VLAI
Details

The AcquireDaemonLock function in ipcdUnix.cpp in Sun Innotek VirtualBox before 2.0.6 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/.vbox-$USER-ipc/lock temporary file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-5256"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-11-27T00:30:00Z",
    "severity": "MODERATE"
  },
  "details": "The AcquireDaemonLock function in ipcdUnix.cpp in Sun Innotek VirtualBox before 2.0.6 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/.vbox-$USER-ipc/lock temporary file.",
  "id": "GHSA-xm9p-q7g6-fm6p",
  "modified": "2022-05-17T02:17:59Z",
  "published": "2022-05-17T02:17:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-5256"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46826"
    },
    {
      "type": "WEB",
      "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504149"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/32851"
    },
    {
      "type": "WEB",
      "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-26-247326-1"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:011"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/32444"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1021384"
    },
    {
      "type": "WEB",
      "url": "http://www.virtualbox.org/changeset?new=trunk%2Fsrc%2Flibs%2Fxpcom18a4%2Fipc%2Fipcd%2Fdaemon%2Fsrc%2FipcdUnix.cpp%4013810"
    },
    {
      "type": "WEB",
      "url": "http://www.virtualbox.org/wiki/Changelog"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2008/3410"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-XMF5-8JHR-2Q75

Vulnerability from github – Published: 2024-08-31 09:30 – Updated: 2024-08-31 09:30
VLAI
Details

Dell PowerScale OneFS versions 8.2.2.x through 9.8.0.1 contains a UNIX symbolic link (symlink) following vulnerability. A local high privileged attacker could potentially exploit this vulnerability, leading to denial of service, information tampering.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-39578"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59",
      "CWE-61"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-31T08:15:04Z",
    "severity": "MODERATE"
  },
  "details": "Dell PowerScale OneFS versions 8.2.2.x through 9.8.0.1 contains a UNIX symbolic link (symlink) following vulnerability. A local high privileged attacker could potentially exploit this vulnerability, leading to denial of service, information tampering.",
  "id": "GHSA-xmf5-8jhr-2q75",
  "modified": "2024-08-31T09:30:44Z",
  "published": "2024-08-31T09:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39578"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000228207/dsa-2024-346-security-update-for-dell-powerscale-onefs-for-multiple-security-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XMV6-R34M-62P4

Vulnerability from github – Published: 2026-03-03 22:08 – Updated: 2026-03-03 22:08
VLAI
Summary
OpenClaw: Sandbox media fallback tmp symlink alias bypass allows host file reads outside sandboxRoot
Details

Summary

A sandbox path validation bypass in openclaw allows host file reads outside sandboxRoot via the media path fallback tmp flow when the fallback tmp root is a symlink alias.

Affected Packages / Versions

  • Package: npm openclaw
  • Affected versions: <= 2026.2.24
  • Latest published npm version at triage time (February 26, 2026): 2026.2.24
  • Patched version : 2026.2.25

Details

When /tmp/openclaw is unavailable or unsafe, resolvePreferredOpenClawTmpDir() in src/infra/tmp-openclaw-dir.ts fell back to os.tmpdir()/openclaw-<uid> without verifying that fallback path was a trusted non-symlink directory.

resolveSandboxedMediaSource() (src/agents/sandbox-paths.ts) allows absolute tmp media paths under the OpenClaw tmp root using lexical containment and alias checks. If the fallback tmp root is a symlink alias (for example to /), inputs like $TMPDIR/openclaw-<uid>/etc/passwd can pass validation and resolve to host files outside sandboxRoot.

Impact

This can break sandbox media path confinement and permit unauthorized host file reads (confidentiality impact).

Reproduction (high level)

  1. Force resolver fallback (make /tmp/openclaw unavailable/invalid).
  2. Make fallback root ($TMPDIR/openclaw-<uid>) a symlink alias to /.
  3. Submit media path under fallback root (for example $TMPDIR/openclaw-<uid>/etc/passwd).
  4. Observe accepted path and read outside sandboxRoot.

Fix Commit(s)

  • 496a76c03ba85e15ea715e5a583e498ae04d36e3

Release Process Note

Patched version is pre-set to release 2026.2.25; once npm publish for 2026.2.25 is complete, this advisory can be published without further metadata edits.

OpenClaw thanks @tdjackey for reporting.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.2.24"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.25"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-03T22:08:54Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nA sandbox path validation bypass in `openclaw` allows host file reads outside `sandboxRoot` via the media path fallback tmp flow when the fallback tmp root is a symlink alias.\n\n### Affected Packages / Versions\n- Package: `npm openclaw`\n- Affected versions: `\u003c= 2026.2.24`\n- Latest published npm version at triage time (February 26, 2026): `2026.2.24`\n- Patched version : `2026.2.25`\n\n### Details\nWhen `/tmp/openclaw` is unavailable or unsafe, `resolvePreferredOpenClawTmpDir()` in `src/infra/tmp-openclaw-dir.ts` fell back to `os.tmpdir()/openclaw-\u003cuid\u003e` without verifying that fallback path was a trusted non-symlink directory.\n\n`resolveSandboxedMediaSource()` (`src/agents/sandbox-paths.ts`) allows absolute tmp media paths under the OpenClaw tmp root using lexical containment and alias checks. If the fallback tmp root is a symlink alias (for example to `/`), inputs like `$TMPDIR/openclaw-\u003cuid\u003e/etc/passwd` can pass validation and resolve to host files outside `sandboxRoot`.\n\n### Impact\nThis can break sandbox media path confinement and permit unauthorized host file reads (confidentiality impact).\n\n### Reproduction (high level)\n1. Force resolver fallback (make `/tmp/openclaw` unavailable/invalid).\n2. Make fallback root (`$TMPDIR/openclaw-\u003cuid\u003e`) a symlink alias to `/`.\n3. Submit media path under fallback root (for example `$TMPDIR/openclaw-\u003cuid\u003e/etc/passwd`).\n4. Observe accepted path and read outside `sandboxRoot`.\n\n### Fix Commit(s)\n- `496a76c03ba85e15ea715e5a583e498ae04d36e3`\n\n### Release Process Note\nPatched version is pre-set to release `2026.2.25`; once npm publish for `2026.2.25` is complete, this advisory can be published without further metadata edits.\n\nOpenClaw thanks @tdjackey for reporting.",
  "id": "GHSA-xmv6-r34m-62p4",
  "modified": "2026-03-03T22:08:54Z",
  "published": "2026-03-03T22:08:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xmv6-r34m-62p4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/496a76c03ba85e15ea715e5a583e498ae04d36e3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: Sandbox media fallback tmp symlink alias bypass allows host file reads outside sandboxRoot"
}

GHSA-XPCC-F29M-W2XX

Vulnerability from github – Published: 2024-10-08 18:33 – Updated: 2024-10-08 18:33
VLAI
Details

Windows Storage Elevation of Privilege Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-43551"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-08T18:15:20Z",
    "severity": "HIGH"
  },
  "details": "Windows Storage Elevation of Privilege Vulnerability",
  "id": "GHSA-xpcc-f29m-w2xx",
  "modified": "2024-10-08T18:33:16Z",
  "published": "2024-10-08T18:33:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43551"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43551"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XPHP-JRMH-9RJJ

Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2022-05-24 17:44
VLAI
Details

Microsoft Windows Folder Redirection Elevation of Privilege Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-26887"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-11T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "Microsoft Windows Folder Redirection Elevation of Privilege Vulnerability",
  "id": "GHSA-xphp-jrmh-9rjj",
  "modified": "2022-05-24T17:44:21Z",
  "published": "2022-05-24T17:44:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26887"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26887"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XQ25-M329-6GR4

Vulnerability from github – Published: 2022-05-13 01:27 – Updated: 2022-05-13 01:27
VLAI
Details

Monkey HTTP Daemon 0.9.3 might allow local users to overwrite arbitrary files via a symlink attack on a PID file, as demonstrated by a pathname different from the default /var/run/monkey.pid pathname.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2012-5303"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2012-10-05T21:55:00Z",
    "severity": "MODERATE"
  },
  "details": "Monkey HTTP Daemon 0.9.3 might allow local users to overwrite arbitrary files via a symlink attack on a PID file, as demonstrated by a pathname different from the default /var/run/monkey.pid pathname.",
  "id": "GHSA-xq25-m329-6gr4",
  "modified": "2022-05-13T01:27:36Z",
  "published": "2022-05-13T01:27:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5303"
    },
    {
      "type": "WEB",
      "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672425"
    },
    {
      "type": "WEB",
      "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688879"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/55905"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-XQ2X-GX2H-74R3

Vulnerability from github – Published: 2022-05-17 05:52 – Updated: 2022-05-17 05:52
VLAI
Details

src/unit_test.c in gpsdrive (aka gpsdrive-scripts) 2.10~pre4 might allow local users to overwrite arbitrary files via a symlink attack on the /tmp/gpsdrive-unit-test/proc temporary file, a different vector than CVE-2008-4959 and CVE-2008-5380.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-5704"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-12-22T15:30:00Z",
    "severity": "HIGH"
  },
  "details": "src/unit_test.c in gpsdrive (aka gpsdrive-scripts) 2.10~pre4 might allow local users to overwrite arbitrary files via a symlink attack on the /tmp/gpsdrive-unit-test/proc temporary file, a different vector than CVE-2008-4959 and CVE-2008-5380.",
  "id": "GHSA-xq2x-gx2h-74r3",
  "modified": "2022-05-17T05:52:36Z",
  "published": "2022-05-17T05:52:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-5704"
    },
    {
      "type": "WEB",
      "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508597"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2008/12/17/15"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-XQ6P-X243-2JPW

Vulnerability from github – Published: 2022-05-14 01:26 – Updated: 2022-05-14 01:26
VLAI
Details

CrashHouseKeeping in Crash Reporting in Apple iOS before 7.1 and Apple TV before 6.1 allows local users to change arbitrary file permissions by leveraging a symlink.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-1272"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2014-03-14T10:55:00Z",
    "severity": "MODERATE"
  },
  "details": "CrashHouseKeeping in Crash Reporting in Apple iOS before 7.1 and Apple TV before 6.1 allows local users to change arbitrary file permissions by leveraging a symlink.",
  "id": "GHSA-xq6p-x243-2jpw",
  "modified": "2022-05-14T01:26:48Z",
  "published": "2022-05-14T01:26:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-1272"
    },
    {
      "type": "WEB",
      "url": "http://support.apple.com/kb/HT6162"
    },
    {
      "type": "WEB",
      "url": "http://support.apple.com/kb/HT6163"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-XQ8G-H7MF-47QR

Vulnerability from github – Published: 2022-05-17 02:18 – Updated: 2022-05-17 02:18
VLAI
Details

sample.sh in maildirsync 1.1 allows local users to append data to arbitrary files via a symlink attack on a /tmp/maildirsync-*.#####.log temporary file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-5150"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-11-18T16:00:00Z",
    "severity": "MODERATE"
  },
  "details": "sample.sh in maildirsync 1.1 allows local users to append data to arbitrary files via a symlink attack on a /tmp/maildirsync-*.#####.log temporary file.",
  "id": "GHSA-xq8g-h7mf-47qr",
  "modified": "2022-05-17T02:18:02Z",
  "published": "2022-05-17T02:18:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-5150"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46711"
    },
    {
      "type": "WEB",
      "url": "http://lists.debian.org/debian-devel/2008/08/msg00347.html"
    },
    {
      "type": "WEB",
      "url": "http://uvw.ru/report.sid.txt"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/32403"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-XQ95-4RWQ-MPPC

Vulnerability from github – Published: 2022-05-02 04:00 – Updated: 2025-04-11 03:48
VLAI
Details

The (1) gendef.sh, (2) doc/fixinfo.sh, and (3) contrib/gdiffmk/tests/runtests.in scripts in GNU troff (aka groff) 1.21 and earlier allow local users to overwrite arbitrary files via a symlink attack on a gro#####.tmp or /tmp/##### temporary file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2009-5079"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2011-06-30T15:55:00Z",
    "severity": "LOW"
  },
  "details": "The (1) gendef.sh, (2) doc/fixinfo.sh, and (3) contrib/gdiffmk/tests/runtests.in scripts in GNU troff (aka groff) 1.21 and earlier allow local users to overwrite arbitrary files via a symlink attack on a gro#####.tmp or /tmp/##### temporary file.",
  "id": "GHSA-xq95-4rwq-mppc",
  "modified": "2025-04-11T03:48:10Z",
  "published": "2022-05-02T04:00:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-5079"
    },
    {
      "type": "WEB",
      "url": "http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/groff/groff-1.20.1-owl-tmp.diff"
    },
    {
      "type": "WEB",
      "url": "http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/groff/groff-1.20.1-owl-tmp.diff.diff?r1=1.1%3Br2=1.2%3Bf=h"
    },
    {
      "type": "WEB",
      "url": "http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/groff/groff-1.20.1-owl-tmp.diff.diff?r1=1.1;r2=1.2;f=h"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2009/08/14/4"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2009/08/14/5"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:085"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:086"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation MIT-48.1
Architecture and Design

Strategy: Separation of Privilege

  • Follow the principle of least privilege when assigning access rights to entities in a software system.
  • Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack

An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.

CAPEC-17: Using Malicious Files

An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.

CAPEC-35: Leverage Executable Code in Non-Executable Files

An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.