Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-41 (对路径等价的解析不恰当) — Vulnerability Class 23

23 vulnerabilities classified as CWE-41 (对路径等价的解析不恰当). AI Chinese analysis included.

CWE-41 represents a critical input validation weakness where applications fail to properly normalize file paths before processing them. This vulnerability arises when software does not adequately resolve special characters, such as symbolic links or relative path sequences, which can map to multiple distinct representations of the same file system object. Attackers typically exploit this by injecting these ambiguous characters into user-supplied inputs, effectively bypassing access controls that rely on incomplete path matching logic. By manipulating the path representation, an adversary can access restricted files or directories that were ostensibly protected by the application’s security mechanisms. To mitigate this risk, developers must implement robust path normalization routines that resolve all symbolic links and relative references before performing any security checks. Additionally, using absolute paths and strict allow-lists for permitted directories ensures that the application interacts only with intended resources, thereby closing the gap that path equivalence attacks seek to exploit.

MITRE CWE Description
The product is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file and directory names. The associated manipulations are intended to generate multiple names for the same object. Path equivalence is usually employed in order to circumvent access controls expressed using an incomplete set of file name or file path representations. This is different from path traversal, wherein the manipulations are performed to generate a name for a different object.
Common Consequences (1)
Confidentiality, Integrity, Access ControlRead Files or Directories, Modify Files or Directories, Bypass Protection Mechanism
An attacker may be able to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. If the files are used for a security mechanism than an attacker may be able to bypass the mechanism.
Mitigations (3)
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
ImplementationUse and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are i…
ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
CVE IDTitleCVSSSeverityPublished
CVE-2026-5816 Improper Resolution of Path Equivalence in GitLab — GitLab 8.0 High2026-04-22
CVE-2026-34510 OpenClaw < 2026.3.22 - Remote File URL Acceptance in Windows Media Loaders — OpenClaw 5.3 Medium2026-04-01
CVE-2026-23674 MapUrlToZone Security Feature Bypass Vulnerability — Windows 10 Version 1607 7.5 High2026-03-10
CVE-2025-58290 Huawei HarmonyOS 安全漏洞 — HarmonyOS 3.3 Low2025-10-11
CVE-2025-54107 MapUrlToZone Security Feature Bypass Vulnerability — Windows 10 Version 1507 4.3 Medium2025-09-09
CVE-2024-8765 Improper Path Equivalence Resolution in lunary-ai/lunary — lunary-ai/lunary 9.4 -2025-03-20
CVE-2024-6839 Improper Regex Path Matching in corydolphin/flask-cors — corydolphin/flask-cors 9.8 -2025-03-20
CVE-2025-0115 PAN-OS: Authenticated Admin File Read Vulnerability in PAN-OS CLI — PAN-OS 4.9 -2025-03-12
CVE-2025-21247 MapUrlToZone Security Feature Bypass Vulnerability — Windows 10 Version 1507 4.3 Medium2025-03-11
CVE-2025-24470 Fortinet FortiPortal 安全漏洞 — FortiPortal 8.1 High2025-02-11
CVE-2025-21332 MapUrlToZone Security Feature Bypass Vulnerability — Windows 10 Version 1507 4.3 Medium2025-01-14
CVE-2025-21189 MapUrlToZone Security Feature Bypass Vulnerability — Windows 10 Version 1507 4.3 Medium2025-01-14
CVE-2025-21328 MapUrlToZone Security Feature Bypass Vulnerability — Windows 10 Version 1507 4.3 Medium2025-01-14
CVE-2025-21329 MapUrlToZone Security Feature Bypass Vulnerability — Windows 10 Version 1507 4.3 Medium2025-01-14
CVE-2025-21219 MapUrlToZone Security Feature Bypass Vulnerability — Windows 10 Version 1507 4.3 Medium2025-01-14
CVE-2025-21269 Windows HTML Platforms Security Feature Bypass Vulnerability — Windows 10 Version 1507 4.3 Medium2025-01-14
CVE-2025-21268 MapUrlToZone Security Feature Bypass Vulnerability — Windows 10 Version 1507 4.3 Medium2025-01-14
CVE-2024-30073 Windows Security Zone Mapping Security Feature Bypass Vulnerability — Windows 11 Version 24H2 7.8 High2024-09-10
CVE-2024-45405 gix-path improperly resolves configuration path reported by Git — gitoxide 6.0 Medium2024-09-06
CVE-2024-30036 Windows Deployment Services Information Disclosure Vulnerability — Windows Server 2019 6.5 Medium2024-05-14
CVE-2023-46169 IBM DS8900F file manipulation — DS8900F 6.5 Medium2024-03-07
CVE-2023-36396 Windows Compressed Folder Remote Code Execution Vulnerability — Windows 11 version 22H2 7.8 High2023-11-14
CVE-2022-0855 Improper Resolution of Path Equivalence in microweber-dev/whmcs_plugin — microweber-dev/whmcs_plugin 6.1 -2022-03-04

Vulnerabilities classified as CWE-41 (对路径等价的解析不恰当) represent 23 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.