CWE-59
AllowedImproper Link Resolution Before File Access ('Link Following')
Abstraction: Base · Status: Draft
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
1992 vulnerabilities reference this CWE, most recent first.
GHSA-2W8H-HCH2-V23H
Vulnerability from github – Published: 2024-10-29 15:32 – Updated: 2024-10-29 15:32mudler/LocalAI version 2.17.1 allows for arbitrary file write due to improper handling of automatic archive extraction. When model configurations specify additional files as archives (e.g., .tar), these archives are automatically extracted after downloading. This behavior can be exploited to perform a 'tarslip' attack, allowing files to be written to arbitrary locations on the server, bypassing checks that normally restrict files to the models directory. This vulnerability can lead to remote code execution (RCE) by overwriting backend assets used by the server.
{
"affected": [],
"aliases": [
"CVE-2024-6868"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-29T13:15:08Z",
"severity": "HIGH"
},
"details": "mudler/LocalAI version 2.17.1 allows for arbitrary file write due to improper handling of automatic archive extraction. When model configurations specify additional files as archives (e.g., .tar), these archives are automatically extracted after downloading. This behavior can be exploited to perform a \u0027tarslip\u0027 attack, allowing files to be written to arbitrary locations on the server, bypassing checks that normally restrict files to the models directory. This vulnerability can lead to remote code execution (RCE) by overwriting backend assets used by the server.",
"id": "GHSA-2w8h-hch2-v23h",
"modified": "2024-10-29T15:32:05Z",
"published": "2024-10-29T15:32:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6868"
},
{
"type": "WEB",
"url": "https://github.com/mudler/localai/commit/a181dd0ebc5d3092fc50f61674d552604fe8ef9c"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/752d2376-2d9a-4e17-b462-3c267f9dd229"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2WH2-4QXG-W52C
Vulnerability from github – Published: 2022-05-14 03:57 – Updated: 2022-05-14 03:57The pulp-gen-nodes-certificate script in Pulp before 2.8.3 allows local users to leak the keys or write to arbitrary files via a symlink attack.
{
"affected": [],
"aliases": [
"CVE-2016-3108"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-08T18:29:00Z",
"severity": "HIGH"
},
"details": "The pulp-gen-nodes-certificate script in Pulp before 2.8.3 allows local users to leak the keys or write to arbitrary files via a symlink attack.",
"id": "GHSA-2wh2-4qxg-w52c",
"modified": "2022-05-14T03:57:46Z",
"published": "2022-05-14T03:57:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-3108"
},
{
"type": "WEB",
"url": "https://github.com/pulp/pulp/pull/2528"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHBA-2016:1501"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2016-3108"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/attachment.cgi?id=1146475"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1325934"
},
{
"type": "WEB",
"url": "https://pulp.plan.io/issues/1830"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/05/20/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2X93-PF6J-8C9X
Vulnerability from github – Published: 2026-04-23 21:31 – Updated: 2026-04-23 21:31radare2 prior to 6.1.4 contains a path traversal vulnerability in its project notes handling that allows attackers to read or write files outside the configured project directory by importing a malicious .zrp archive containing a symlinked notes.txt file. Attackers can craft a .zrp archive with a symlinked notes.txt that bypasses directory confinement checks, allowing note operations to follow the symlink and access arbitrary files outside the dir.projects root directory.
{
"affected": [],
"aliases": [
"CVE-2026-6941"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-23T21:16:06Z",
"severity": "MODERATE"
},
"details": "radare2 prior to 6.1.4 contains a path traversal vulnerability in its project notes handling that allows attackers to read or write files outside the configured project directory by importing a malicious .zrp archive containing a symlinked notes.txt file. Attackers can craft a .zrp archive with a symlinked notes.txt that bypasses directory confinement checks, allowing note operations to follow the symlink and access arbitrary files outside the dir.projects root directory.",
"id": "GHSA-2x93-pf6j-8c9x",
"modified": "2026-04-23T21:31:24Z",
"published": "2026-04-23T21:31:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6941"
},
{
"type": "WEB",
"url": "https://github.com/radareorg/radare2/pull/25831"
},
{
"type": "WEB",
"url": "https://github.com/radareorg/radare2/commit/4bcdee725ff0754ed721a98789c0af371c5f32a4"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/radare2-project-notes-path-traversal-via-symlink"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-2X9H-7774-VHG2
Vulnerability from github – Published: 2022-05-24 17:16 – Updated: 2024-04-04 02:50Avira Antivirus before 5.0.2003.1821 on Windows allows privilege escalation or a denial of service via abuse of a symlink.
{
"affected": [],
"aliases": [
"CVE-2020-12254"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-04-26T15:15:00Z",
"severity": "HIGH"
},
"details": "Avira Antivirus before 5.0.2003.1821 on Windows allows privilege escalation or a denial of service via abuse of a symlink.",
"id": "GHSA-2x9h-7774-vhg2",
"modified": "2024-04-04T02:50:16Z",
"published": "2022-05-24T17:16:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12254"
},
{
"type": "WEB",
"url": "https://support.avira.com/hc/en-us/articles/360000109798-Avira-Antivirus-for-Windows"
},
{
"type": "WEB",
"url": "http://web.archive.org/web/20200429193852/https://support.avira.com/hc/en-us/articles/360000109798-Avira-Antivirus-for-Windows"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2XGV-6QHC-WPXF
Vulnerability from github – Published: 2022-05-17 02:18 – Updated: 2022-05-17 02:18vdrleaktest in Video Disk Recorder (aka vdr-dbg or vdr) 1.6.0 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/memleaktest.log temporary file.
{
"affected": [],
"aliases": [
"CVE-2008-4985"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-11-06T15:55:00Z",
"severity": "MODERATE"
},
"details": "vdrleaktest in Video Disk Recorder (aka vdr-dbg or vdr) 1.6.0 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/memleaktest.log temporary file.",
"id": "GHSA-2xgv-6qhc-wpxf",
"modified": "2022-05-17T02:18:27Z",
"published": "2022-05-17T02:18:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-4985"
},
{
"type": "WEB",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=235770"
},
{
"type": "WEB",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=235827"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44880"
},
{
"type": "WEB",
"url": "http://bugs.debian.org/496421"
},
{
"type": "WEB",
"url": "http://dev.gentoo.org/~rbu/security/debiantemp/vdr-dbg"
},
{
"type": "WEB",
"url": "http://uvw.ru/report.lenny.txt"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2008/10/30/2"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-329C-JRV3-6H96
Vulnerability from github – Published: 2022-05-24 16:54 – Updated: 2023-02-24 00:30IBM Informix Dynamic Server Enterprise Edition 12.1 could allow a local user logged in with database administrator user to gain root privileges through a symbolic link vulnerability in oninit mongohash. IBM X-Force ID: 144431.
{
"affected": [],
"aliases": [
"CVE-2018-1631"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-20T19:15:00Z",
"severity": "HIGH"
},
"details": "IBM Informix Dynamic Server Enterprise Edition 12.1 could allow a local user logged in with database administrator user to gain root privileges through a symbolic link vulnerability in oninit mongohash. IBM X-Force ID: 144431.",
"id": "GHSA-329c-jrv3-6h96",
"modified": "2023-02-24T00:30:16Z",
"published": "2022-05-24T16:54:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1631"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/144431"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20190903-0002"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=ibm10964987"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-32P2-RGHV-W56X
Vulnerability from github – Published: 2022-05-24 16:50 – Updated: 2024-04-04 01:18In Avast Antivirus before 19.4, a local administrator can trick the product into renaming arbitrary files by replacing the Logs\Update.log file with a symlink. The next time the product attempts to write to the log file, the target of the symlink is renamed. This defect can be exploited to rename a critical product file (e.g., AvastSvc.exe), causing the product to fail to start on the next system restart.
{
"affected": [],
"aliases": [
"CVE-2019-11230"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-18T17:15:00Z",
"severity": "MODERATE"
},
"details": "In Avast Antivirus before 19.4, a local administrator can trick the product into renaming arbitrary files by replacing the Logs\\Update.log file with a symlink. The next time the product attempts to write to the log file, the target of the symlink is renamed. This defect can be exploited to rename a critical product file (e.g., AvastSvc.exe), causing the product to fail to start on the next system restart.",
"id": "GHSA-32p2-rghv-w56x",
"modified": "2024-04-04T01:18:34Z",
"published": "2022-05-24T16:50:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11230"
},
{
"type": "WEB",
"url": "http://www.mcerlane.co.uk/CVE-2019-11230"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/109344"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-32R7-MGWG-67WQ
Vulnerability from github – Published: 2022-07-19 00:00 – Updated: 2022-07-23 00:00AnyDesk 7.0.9 allows a local user to gain SYSTEM privileges via a symbolic link because the user can write to their own %APPDATA% folder (used for ad.trace and chat) but the product runs as SYSTEM when writing chat-room data there.
{
"affected": [],
"aliases": [
"CVE-2022-32450"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-18T13:15:00Z",
"severity": "HIGH"
},
"details": "AnyDesk 7.0.9 allows a local user to gain SYSTEM privileges via a symbolic link because the user can write to their own %APPDATA% folder (used for ad.trace and chat) but the product runs as SYSTEM when writing chat-room data there.",
"id": "GHSA-32r7-mgwg-67wq",
"modified": "2022-07-23T00:00:23Z",
"published": "2022-07-19T00:00:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32450"
},
{
"type": "WEB",
"url": "https://seclists.org/fulldisclosure/2022/Jun/44"
},
{
"type": "WEB",
"url": "http://anydesk.com"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/167608/AnyDesk-7.0.9-Arbitrary-File-Write-Denial-Of-Service.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2022/Jul/9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-33PM-33CG-5576
Vulnerability from github – Published: 2026-05-20 15:35 – Updated: 2026-05-20 15:35Improper link resolution before file access ('link following') in Azure Portal Windows Admin Center allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2026-42834"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-20T13:16:34Z",
"severity": "HIGH"
},
"details": "Improper link resolution before file access (\u0027link following\u0027) in Azure Portal Windows Admin Center allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-33pm-33cg-5576",
"modified": "2026-05-20T15:35:32Z",
"published": "2026-05-20T15:35:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42834"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42834"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-33W2-PRHC-2Q89
Vulnerability from github – Published: 2022-05-24 17:16 – Updated: 2022-10-07 18:15Apport creates a world writable lock file with root ownership in the world writable /var/lock/apport directory. If the apport/ directory does not exist (this is not uncommon as /var/lock is a tmpfs), it will create the directory, otherwise it will simply continue execution using the existing directory. This allows for a symlink attack if an attacker were to create a symlink at /var/lock/apport, changing apport's lock file location. This file could then be used to escalate privileges, for example. Fixed in versions 2.20.1-0ubuntu2.23, 2.20.9-0ubuntu7.14, 2.20.11-0ubuntu8.8 and 2.20.11-0ubuntu22.
{
"affected": [],
"aliases": [
"CVE-2020-8831"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-04-22T22:15:00Z",
"severity": "LOW"
},
"details": "Apport creates a world writable lock file with root ownership in the world writable /var/lock/apport directory. If the apport/ directory does not exist (this is not uncommon as /var/lock is a tmpfs), it will create the directory, otherwise it will simply continue execution using the existing directory. This allows for a symlink attack if an attacker were to create a symlink at /var/lock/apport, changing apport\u0027s lock file location. This file could then be used to escalate privileges, for example. Fixed in versions 2.20.1-0ubuntu2.23, 2.20.9-0ubuntu7.14, 2.20.11-0ubuntu8.8 and 2.20.11-0ubuntu22.",
"id": "GHSA-33w2-prhc-2q89",
"modified": "2022-10-07T18:15:44Z",
"published": "2022-05-24T17:16:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8831"
},
{
"type": "WEB",
"url": "https://launchpad.net/bugs/1862348"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4315-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4315-2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-48.1
Strategy: Separation of Privilege
- Follow the principle of least privilege when assigning access rights to entities in a software system.
- Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack
An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.
CAPEC-17: Using Malicious Files
An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.