CWE-59
AllowedImproper Link Resolution Before File Access ('Link Following')
Abstraction: Base · Status: Draft
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
1987 vulnerabilities reference this CWE, most recent first.
GHSA-RFR2-972G-H6H9
Vulnerability from github – Published: 2022-05-17 05:53 – Updated: 2022-05-17 05:53The postinst script in ppp 2.4.4rel on Debian GNU/Linux allows local users to overwrite arbitrary files via a symlink attack on the (1) /tmp/probe-finished or (2) /tmp/ppp-errors temporary file.
{
"affected": [],
"aliases": [
"CVE-2008-5366"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-12-08T23:30:00Z",
"severity": "MODERATE"
},
"details": "The postinst script in ppp 2.4.4rel on Debian GNU/Linux allows local users to overwrite arbitrary files via a symlink attack on the (1) /tmp/probe-finished or (2) /tmp/ppp-errors temporary file.",
"id": "GHSA-rfr2-972g-h6h9",
"modified": "2022-05-17T05:53:13Z",
"published": "2022-05-17T05:53:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-5366"
},
{
"type": "WEB",
"url": "http://lists.debian.org/debian-devel/2008/08/msg00283.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/32740"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-RFWJ-HVCP-2885
Vulnerability from github – Published: 2025-11-04 03:30 – Updated: 2025-12-17 21:30This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Sonoma 14.8.2, macOS Sequoia 15.7.2. An app may be able to modify protected parts of the file system.
{
"affected": [],
"aliases": [
"CVE-2025-43446"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-04T02:15:50Z",
"severity": "MODERATE"
},
"details": "This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Sonoma 14.8.2, macOS Sequoia 15.7.2. An app may be able to modify protected parts of the file system.",
"id": "GHSA-rfwj-hvcp-2885",
"modified": "2025-12-17T21:30:37Z",
"published": "2025-11-04T03:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43446"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/125634"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/125635"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/125636"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RFX4-8CP9-VWWX
Vulnerability from github – Published: 2024-12-30 21:30 – Updated: 2024-12-30 21:30Foxit PDF Reader Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Foxit PDF Reader. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the product installer. By creating a junction, an attacker can abuse the installer process to create an arbitrary file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-25408.
{
"affected": [],
"aliases": [
"CVE-2024-12753"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-30T21:15:06Z",
"severity": "MODERATE"
},
"details": "Foxit PDF Reader Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Foxit PDF Reader. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the product installer. By creating a junction, an attacker can abuse the installer process to create an arbitrary file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-25408.",
"id": "GHSA-rfx4-8cp9-vwwx",
"modified": "2024-12-30T21:30:47Z",
"published": "2024-12-30T21:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12753"
},
{
"type": "WEB",
"url": "https://www.foxit.com/support/security-bulletins.html"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1739"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RFXJ-HQ8G-HC57
Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2022-05-24 17:44A vulnerability exists in IBM SPSS Modeler Subscription Installer that allows a user with create symbolic link permission to write arbitrary file in another protected path during product installation. IBM X-Force ID: 187727.
{
"affected": [],
"aliases": [
"CVE-2020-4717"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-10T15:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability exists in IBM SPSS Modeler Subscription Installer that allows a user with create symbolic link permission to write arbitrary file in another protected path during product installation. IBM X-Force ID: 187727.",
"id": "GHSA-rfxj-hq8g-hc57",
"modified": "2022-05-24T17:44:05Z",
"published": "2022-05-24T17:44:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4717"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/187727"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6427901"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RG42-3854-X575
Vulnerability from github – Published: 2022-01-27 00:01 – Updated: 2022-10-13 19:00A UNIX Symbolic Link (Symlink) Following vulnerability in the systemd service file for watchman of openSUSE Backports SLE-15-SP3, Factory allows local attackers to escalate to root. This issue affects: openSUSE Backports SLE-15-SP3 watchman versions prior to 4.9.0. openSUSE Factory watchman versions prior to 4.9.0-9.1.
{
"affected": [],
"aliases": [
"CVE-2022-21944"
],
"database_specific": {
"cwe_ids": [
"CWE-59",
"CWE-61"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-26T09:15:00Z",
"severity": "HIGH"
},
"details": "A UNIX Symbolic Link (Symlink) Following vulnerability in the systemd service file for watchman of openSUSE Backports SLE-15-SP3, Factory allows local attackers to escalate to root. This issue affects: openSUSE Backports SLE-15-SP3 watchman versions prior to 4.9.0. openSUSE Factory watchman versions prior to 4.9.0-9.1.",
"id": "GHSA-rg42-3854-x575",
"modified": "2022-10-13T19:00:23Z",
"published": "2022-01-27T00:01:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21944"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1194470"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RG46-XP9G-7M7C
Vulnerability from github – Published: 2022-05-17 05:20 – Updated: 2022-05-17 05:20ProcessTable.pm in the Proc::ProcessTable module 0.45 for Perl, when TTY information caching is enabled, allows local users to overwrite arbitrary files via a symlink attack on /tmp/TTYDEVS.
{
"affected": [],
"aliases": [
"CVE-2011-4363"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2012-10-07T21:55:00Z",
"severity": "LOW"
},
"details": "ProcessTable.pm in the Proc::ProcessTable module 0.45 for Perl, when TTY information caching is enabled, allows local users to overwrite arbitrary files via a symlink attack on /tmp/TTYDEVS.",
"id": "GHSA-rg46-xp9g-7m7c",
"modified": "2022-05-17T05:20:42Z",
"published": "2022-05-17T05:20:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-4363"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4363"
},
{
"type": "WEB",
"url": "https://rt.cpan.org/Public/Bug/Display.html?id=72862"
},
{
"type": "WEB",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=650500"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/47015"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2011/11/30/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2011/11/30/3"
},
{
"type": "WEB",
"url": "http://www.osvdb.org/77428"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/50868"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-RG5R-258X-6C87
Vulnerability from github – Published: 2025-11-04 03:30 – Updated: 2025-12-17 21:30This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Sonoma 14.8.2, macOS Sequoia 15.7.2. An app may be able to access protected user data.
{
"affected": [],
"aliases": [
"CVE-2025-43394"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-04T02:15:46Z",
"severity": "MODERATE"
},
"details": "This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Sonoma 14.8.2, macOS Sequoia 15.7.2. An app may be able to access protected user data.",
"id": "GHSA-rg5r-258x-6c87",
"modified": "2025-12-17T21:30:33Z",
"published": "2025-11-04T03:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43394"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/125634"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/125635"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/125636"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RG9J-QF6H-JPWG
Vulnerability from github – Published: 2022-05-14 02:09 – Updated: 2022-05-14 02:09The GetHTMLRunDir function in the scan-build utility in Clang 3.5 and earlier allows local users to obtain sensitive information or overwrite arbitrary files via a symlink attack on temporary directories with predictable names.
{
"affected": [],
"aliases": [
"CVE-2014-2893"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2014-04-23T15:55:00Z",
"severity": "LOW"
},
"details": "The GetHTMLRunDir function in the scan-build utility in Clang 3.5 and earlier allows local users to obtain sensitive information or overwrite arbitrary files via a symlink attack on temporary directories with predictable names.",
"id": "GHSA-rg9j-qf6h-jpwg",
"modified": "2022-05-14T02:09:29Z",
"published": "2022-05-14T02:09:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-2893"
},
{
"type": "WEB",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=744817"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2015-02/msg00038.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2014/04/16/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2014/04/20/1"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-RGCJ-4QC4-RJ56
Vulnerability from github – Published: 2022-05-02 06:13 – Updated: 2022-05-02 06:13Folder Manager in Apple Mac OS X 10.5.8, and 10.6 before 10.6.4, allows local users to delete arbitrary folders via a symlink attack in conjunction with an unmount operation on a crafted volume, related to the Cleanup At Startup folder.
{
"affected": [],
"aliases": [
"CVE-2010-0546"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2010-06-17T16:30:00Z",
"severity": "LOW"
},
"details": "Folder Manager in Apple Mac OS X 10.5.8, and 10.6 before 10.6.4, allows local users to delete arbitrary folders via a symlink attack in conjunction with an unmount operation on a crafted volume, related to the Cleanup At Startup folder.",
"id": "GHSA-rgcj-4qc4-rj56",
"modified": "2022-05-02T06:13:41Z",
"published": "2022-05-02T06:13:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2010-0546"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2010//Jun/msg00001.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/40220"
},
{
"type": "WEB",
"url": "http://securitytracker.com/id?1024103"
},
{
"type": "WEB",
"url": "http://support.apple.com/kb/HT4188"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/40871"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2010/1481"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-RGHG-GW3P-2F8W
Vulnerability from github – Published: 2022-05-01 18:38 – Updated: 2022-05-01 18:38feynmf.pl in feynmf 1.08, as used in TeXLive 2007, allows local users to overwrite arbitrary files and execute arbitrary code via a symlink attack on the feynmf$$.pl temporary file.
{
"affected": [],
"aliases": [
"CVE-2007-5940"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2007-11-13T23:46:00Z",
"severity": "MODERATE"
},
"details": "feynmf.pl in feynmf 1.08, as used in TeXLive 2007, allows local users to overwrite arbitrary files and execute arbitrary code via a symlink attack on the feynmf$$.pl temporary file.",
"id": "GHSA-rghg-gw3p-2f8w",
"modified": "2022-05-01T18:38:11Z",
"published": "2022-05-01T18:38:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2007-5940"
},
{
"type": "WEB",
"url": "http://bugs.gentoo.org/show_bug.cgi?id=198231"
},
{
"type": "WEB",
"url": "http://osvdb.org/42397"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/27737"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/27739"
},
{
"type": "WEB",
"url": "http://security.gentoo.org/glsa/glsa-200711-32.xml"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/26507"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2007/3974"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation MIT-48.1
Strategy: Separation of Privilege
- Follow the principle of least privilege when assigning access rights to entities in a software system.
- Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack
An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.
CAPEC-17: Using Malicious Files
An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.