CWE-59
AllowedImproper Link Resolution Before File Access ('Link Following')
Abstraction: Base · Status: Draft
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
1988 vulnerabilities reference this CWE, most recent first.
GHSA-57X5-VVHV-RVXM
Vulnerability from github – Published: 2022-05-17 04:37 – Updated: 2022-05-17 04:37The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary file via an attack on the sensor-settings file.
{
"affected": [],
"aliases": [
"CVE-2013-6124"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2014-08-31T10:55:00Z",
"severity": "LOW"
},
"details": "The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary file via an attack on the sensor-settings file.",
"id": "GHSA-57x5-vvhv-rvxm",
"modified": "2022-05-17T04:37:59Z",
"published": "2022-05-17T04:37:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6124"
},
{
"type": "WEB",
"url": "https://www.codeaurora.org/projects/security-advisories/insecure-owner-permission-changes-init-shell-scripts-cve-2013-6124"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-5848-87GF-WVQV
Vulnerability from github – Published: 2022-05-14 02:40 – Updated: 2022-05-14 02:40/bin/login in shadow 4.0.18.1 in Debian GNU/Linux, and probably other Linux distributions, allows local users in the utmp group to overwrite arbitrary files via a symlink attack on a temporary file referenced in a line (aka ut_line) field in a utmp entry.
{
"affected": [],
"aliases": [
"CVE-2008-5394"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-12-09T00:30:00Z",
"severity": "HIGH"
},
"details": "/bin/login in shadow 4.0.18.1 in Debian GNU/Linux, and probably other Linux distributions, allows local users in the utmp group to overwrite arbitrary files via a symlink attack on a temporary file referenced in a line (aka ut_line) field in a utmp entry.",
"id": "GHSA-5848-87gf-wvqv",
"modified": "2022-05-14T02:40:14Z",
"published": "2022-05-14T02:40:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-5394"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/47037"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/7313"
},
{
"type": "WEB",
"url": "http://bugs.debian.org/332198"
},
{
"type": "WEB",
"url": "http://bugs.debian.org/505071"
},
{
"type": "WEB",
"url": "http://bugs.debian.org/505271"
},
{
"type": "WEB",
"url": "http://osvdb.org/52200"
},
{
"type": "WEB",
"url": "http://security.gentoo.org/glsa/glsa-200903-24.xml"
},
{
"type": "WEB",
"url": "http://securityreason.com/securityalert/4695"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:062"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/498769/100/0/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/32552"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/usn-695-1"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-5888-494V-35JQ
Vulnerability from github – Published: 2022-04-30 18:22 – Updated: 2024-01-25 21:32Sun PC NetLink 1.0 through 1.2 does not properly set the access control list (ACL) for files and directories that use symbolic links and have been restored from backup, which could allow local or remote attackers to bypass intended access restrictions.
{
"affected": [],
"aliases": [
"CVE-2002-2323"
],
"database_specific": {
"cwe_ids": [
"CWE-281",
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2002-12-31T05:00:00Z",
"severity": "MODERATE"
},
"details": "Sun PC NetLink 1.0 through 1.2 does not properly set the access control list (ACL) for files and directories that use symbolic links and have been restored from backup, which could allow local or remote attackers to bypass intended access restrictions.",
"id": "GHSA-5888-494v-35jq",
"modified": "2024-01-25T21:32:09Z",
"published": "2022-04-30T18:22:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-2323"
},
{
"type": "WEB",
"url": "http://sunsolve.sun.com/search/document.do?assetkey=1-26-27807-1"
},
{
"type": "WEB",
"url": "http://www.iss.net/security_center/static/9665.php"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/5281"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-58P9-FWRR-259C
Vulnerability from github – Published: 2022-05-24 17:46 – Updated: 2022-05-24 17:46VestaCP through 0.9.8-24 allows attackers to gain privileges by creating symlinks to files for which they lack permissions. After reading the RKEY value from user.conf under the /usr/local/vesta/data/users/admin directory, the admin password can be changed via a /reset/?action=confirm&user=admin&code= URI. This occurs because chmod is used unsafely.
{
"affected": [],
"aliases": [
"CVE-2021-30463"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-08T14:15:00Z",
"severity": "HIGH"
},
"details": "VestaCP through 0.9.8-24 allows attackers to gain privileges by creating symlinks to files for which they lack permissions. After reading the RKEY value from user.conf under the /usr/local/vesta/data/users/admin directory, the admin password can be changed via a /reset/?action=confirm\u0026user=admin\u0026code= URI. This occurs because chmod is used unsafely.",
"id": "GHSA-58p9-fwrr-259c",
"modified": "2022-05-24T17:46:55Z",
"published": "2022-05-24T17:46:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30463"
},
{
"type": "WEB",
"url": "https://ssd-disclosure.com/ssd-advisory-vestacp-lpe-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-58PW-R2V4-PWJV
Vulnerability from github – Published: 2025-08-08 21:30 – Updated: 2025-11-05 00:317-Zip before 25.01 does not always properly handle symbolic links during extraction.
{
"affected": [],
"aliases": [
"CVE-2025-55188"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-08T21:15:25Z",
"severity": "LOW"
},
"details": "7-Zip before 25.01 does not always properly handle symbolic links during extraction.",
"id": "GHSA-58pw-r2v4-pwjv",
"modified": "2025-11-05T00:31:24Z",
"published": "2025-08-08T21:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55188"
},
{
"type": "WEB",
"url": "https://github.com/ip7z/7zip/compare/25.00...25.01"
},
{
"type": "WEB",
"url": "https://github.com/ip7z/7zip/releases/tag/25.01"
},
{
"type": "WEB",
"url": "https://github.com/lunbun/CVE-2025-55188"
},
{
"type": "WEB",
"url": "https://lunbun.dev/blog/cve-2025-55188"
},
{
"type": "WEB",
"url": "https://sourceforge.net/p/sevenzip/discussion/45797/thread/da14cd780b"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2025/08/09/1"
},
{
"type": "WEB",
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-55188-detect-7-zip-vulnerable-version"
},
{
"type": "WEB",
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-55188-mitigate-7-zip-vulnerability"
},
{
"type": "WEB",
"url": "https://youtu.be/sWT6M1cfnwM"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/08/09/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/08/10/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/08/13/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/10/12/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/10/16/7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-58V9-JF45-V492
Vulnerability from github – Published: 2022-05-24 17:42 – Updated: 2024-04-04 03:04Mumble before 1.3.4 allows remote code execution if a victim navigates to a crafted URL on a server list and clicks on the Open Webpage text.
{
"affected": [],
"aliases": [
"CVE-2021-27229"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-16T04:15:00Z",
"severity": "HIGH"
},
"details": "Mumble before 1.3.4 allows remote code execution if a victim navigates to a crafted URL on a server list and clicks on the Open Webpage text.",
"id": "GHSA-58v9-jf45-v492",
"modified": "2024-04-04T03:04:36Z",
"published": "2022-05-24T17:42:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27229"
},
{
"type": "WEB",
"url": "https://github.com/mumble-voip/mumble/pull/4733"
},
{
"type": "WEB",
"url": "https://github.com/mumble-voip/mumble/commit/e59ee87abe249f345908c7d568f6879d16bfd648"
},
{
"type": "WEB",
"url": "https://github.com/mumble-voip/mumble/compare/1.3.3...1.3.4"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00022.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202105-13"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-58XF-QF7H-M4M6
Vulnerability from github – Published: 2022-05-17 05:53 – Updated: 2022-05-17 05:53nvidia-cg-toolkit-installer in nvidia-cg-toolkit 2.0.0015 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/nvidia-cg-toolkit-manifest temporary file.
{
"affected": [],
"aliases": [
"CVE-2008-5144"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-11-18T16:00:00Z",
"severity": "MODERATE"
},
"details": "nvidia-cg-toolkit-installer in nvidia-cg-toolkit 2.0.0015 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/nvidia-cg-toolkit-manifest temporary file.",
"id": "GHSA-58xf-qf7h-m4m6",
"modified": "2022-05-17T05:53:08Z",
"published": "2022-05-17T05:53:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-5144"
},
{
"type": "WEB",
"url": "http://lists.debian.org/debian-devel/2008/08/msg00285.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/32411"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-5977-VHPG-P3HQ
Vulnerability from github – Published: 2024-05-14 18:31 – Updated: 2024-05-14 18:31Microsoft PLUGScheduler Scheduled Task Elevation of Privilege Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-26238"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T17:15:50Z",
"severity": "HIGH"
},
"details": "Microsoft PLUGScheduler Scheduled Task Elevation of Privilege Vulnerability",
"id": "GHSA-5977-vhpg-p3hq",
"modified": "2024-05-14T18:31:03Z",
"published": "2024-05-14T18:31:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26238"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26238"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-597G-3PHW-6986
Vulnerability from github – Published: 2026-01-13 18:45 – Updated: 2026-01-13 18:45Impact
TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations.
Affected versions: All versions up to and including 20.36.1
Affected users: Any user running virtualenv on multi-user systems where untrusted local users have filesystem access to shared temporary directories or where VIRTUALENV_OVERRIDE_APP_DATA points to a user-writable location.
Attack scenarios: - Cache poisoning: Attacker corrupts wheels or Python metadata in the cache - Information disclosure: Attacker reads sensitive cached data or metadata - Lock bypass: Attacker controls lock file semantics to cause concurrent access violations - Denial of service: Lock starvation preventing virtualenv operations
Patches
The vulnerability has been patched by replacing check-then-act patterns with atomic os.makedirs(..., exist_ok=True) operations.
Fixed in: PR #3013
Versions with the fix: 20.36.2 and later
Users should upgrade to version 20.36.2 or later.
Workarounds
If you cannot upgrade immediately:
- Ensure
VIRTUALENV_OVERRIDE_APP_DATApoints to a directory owned by the current user with restricted permissions (mode 0700) - Avoid running
virtualenvin shared temporary directories where other users have write access - Use separate user accounts for different projects to isolate app_data directories
References
- GitHub PR: https://github.com/pypa/virtualenv/pull/3013
- Vulnerability reported by: @tsigouris007
- CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (TOCTOU)
- CWE-59: Improper Link Resolution Before File Access
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "virtualenv"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "20.36.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-22702"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-13T18:45:57Z",
"nvd_published_at": "2026-01-10T07:16:02Z",
"severity": "MODERATE"
},
"details": "## Impact\n\nTOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in `virtualenv` allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv\u0027s app_data and lock file operations to attacker-controlled locations.\n\n**Affected versions:** All versions up to and including 20.36.1\n\n**Affected users:** Any user running `virtualenv` on multi-user systems where untrusted local users have filesystem access to shared temporary directories or where `VIRTUALENV_OVERRIDE_APP_DATA` points to a user-writable location.\n\n**Attack scenarios:**\n- Cache poisoning: Attacker corrupts wheels or Python metadata in the cache\n- Information disclosure: Attacker reads sensitive cached data or metadata\n- Lock bypass: Attacker controls lock file semantics to cause concurrent access violations\n- Denial of service: Lock starvation preventing virtualenv operations\n\n## Patches\n\nThe vulnerability has been patched by replacing check-then-act patterns with atomic `os.makedirs(..., exist_ok=True)` operations.\n\n**Fixed in:** PR #3013\n\n**Versions with the fix:** 20.36.2 and later\n\nUsers should upgrade to version 20.36.2 or later.\n\n## Workarounds\n\nIf you cannot upgrade immediately:\n\n1. Ensure `VIRTUALENV_OVERRIDE_APP_DATA` points to a directory owned by the current user with restricted permissions (mode 0700)\n2. Avoid running `virtualenv` in shared temporary directories where other users have write access\n3. Use separate user accounts for different projects to isolate app_data directories\n\n## References\n\n- GitHub PR: https://github.com/pypa/virtualenv/pull/3013\n- Vulnerability reported by: @tsigouris007\n- CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (TOCTOU)\n- CWE-59: Improper Link Resolution Before File Access",
"id": "GHSA-597g-3phw-6986",
"modified": "2026-01-13T18:45:57Z",
"published": "2026-01-13T18:45:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pypa/virtualenv/security/advisories/GHSA-597g-3phw-6986"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22702"
},
{
"type": "WEB",
"url": "https://github.com/pypa/virtualenv/pull/3013"
},
{
"type": "WEB",
"url": "https://github.com/pypa/virtualenv/commit/dec4cec5d16edaf83a00a658f32d1e032661cebc"
},
{
"type": "PACKAGE",
"url": "https://github.com/pypa/virtualenv"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "virtualenv Has TOCTOU Vulnerabilities in Directory Creation"
}
GHSA-599W-RMP9-P3VV
Vulnerability from github – Published: 2022-07-07 00:00 – Updated: 2022-07-15 00:00In sound driver, there is a possible information disclosure due to symlink following. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06558663; Issue ID: ALPS06558663.
{
"affected": [],
"aliases": [
"CVE-2022-21770"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-06T14:15:00Z",
"severity": "MODERATE"
},
"details": "In sound driver, there is a possible information disclosure due to symlink following. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06558663; Issue ID: ALPS06558663.",
"id": "GHSA-599w-rmp9-p3vv",
"modified": "2022-07-15T00:00:23Z",
"published": "2022-07-07T00:00:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21770"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/July-2022"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-48.1
Strategy: Separation of Privilege
- Follow the principle of least privilege when assigning access rights to entities in a software system.
- Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack
An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.
CAPEC-17: Using Malicious Files
An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.