Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-59 (在文件访问前对链接解析不恰当(链接跟随)) — Vulnerability Class 426

426 vulnerabilities classified as CWE-59 (在文件访问前对链接解析不恰当(链接跟随)). AI Chinese analysis included.

CWE-59 represents a critical input validation weakness where software fails to properly resolve symbolic links or shortcuts before accessing a file. Attackers typically exploit this vulnerability by crafting malicious links that point to sensitive system files or directories outside the intended scope. When the application resolves these links without adequate checks, it inadvertently grants access to unauthorized resources, potentially leading to data leakage, privilege escalation, or remote code execution. To mitigate this risk, developers must implement rigorous link resolution controls, ensuring that all file paths are canonicalized and verified against a strict allowlist before any I/O operations occur. Utilizing secure API functions that explicitly handle link following, combined with strict permission checks on the final resolved path, effectively prevents attackers from leveraging symlinks to bypass security boundaries and access unintended system components.

MITRE CWE Description
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Common Consequences (2)
Confidentiality, Integrity, Access ControlRead Files or Directories, Modify Files or Directories, Bypass Protection Mechanism
An attacker may be able to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. If the files are used for a security mechanism then an attacker may be able to bypass the mechanism.
OtherExecute Unauthorized Code or Commands
Windows simple shortcuts, sometimes referred to as soft links, can be exploited remotely since a ".LNK" file can be uploaded like a normal file. This can enable remote execution.
Mitigations (1)
Architecture and DesignFollow the principle of least privilege when assigning access rights to entities in a software system. Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CVE IDTitleCVSSSeverityPublished
CVE-2025-12838 MSP360 Free Backup Link Following Local Privilege Escalation Vulnerability — Free Backup 7.3AIHighAI2025-12-23
CVE-2023-53973 Zillya Total Security 3.0.2367.0 Local Privilege Escalation via Quarantine Module — Zillya Total Security 8.4 High2025-12-22
CVE-2025-7073 Local Privilege Escalation via Arbitrary File Operation in Bitdefender Total Security — Total Security 7.8AIHighAI2025-12-10
CVE-2025-46636 Dell Encryption 后置链接漏洞 — Dell Encryption 6.6 Medium2025-12-09
CVE-2025-46637 Dell Encryption 后置链接漏洞 — Dell Encryption 7.3 High2025-12-09
CVE-2025-60710 Host Process for Windows Tasks Elevation of Privilege Vulnerability — Windows 11 Version 24H2 7.8 High2025-11-11
CVE-2025-59510 Windows Routing and Remote Access Service (RRAS) Denial of Service Vulnerability — Windows 10 Version 1607 5.5 Medium2025-11-11
CVE-2025-5718 AXIS OS 安全漏洞 — AXIS OS 6.8 Medium2025-11-11
CVE-2025-11578 Pre-Receive Hook Path Collision Vulnerability in GitHub Enterprise Server Allowing Privilege Escalation — Enterprise Server 7.2 -2025-11-10
CVE-2025-64437 KubeVirt Isolation Detection Flaw Allows Arbitrary File Permission Changes — kubevirt 5.0 Medium2025-11-07
CVE-2025-12418 Potential Denial of Service in Supported Versions of Revenera InstallShield — InstallShield 4.4 -2025-11-07
CVE-2025-9870 Razer Synapse 3 RazerPhilipsHueUninstall Link Following Local Privilege Escalation Vulnerability — Synapse 3 7.8AIHighAI2025-10-29
CVE-2025-9871 Razer Synapse 3 Chroma Connect Link Following Local Privilege Escalation Vulnerability — Synapse 3 7.8AIHighAI2025-10-29
CVE-2025-9869 Razer Synapse 3 Macro Module Link Following Local Privilege Escalation Vulnerability — Synapse 3 7.8AIHighAI2025-10-29
CVE-2025-12341 ermig1979 AntiDupl Delete Duplicate Image AntiDupl.NET.WinForms.exe link following — AntiDupl 7.8 High2025-10-28
CVE-2025-26625 Git LFS may write to arbitrary files via crafted symlinks — git-lfs 8.1AIHighAI2025-10-17
CVE-2025-59241 Windows Health and Optimized Experiences Elevation of Privilege Vulnerability — Windows 11 Version 24H2 7.8 High2025-10-14
CVE-2025-59281 Xbox Gaming Services Elevation of Privilege Vulnerability — Xbox Gaming Services 7.8 High2025-10-14
CVE-2025-55247 .NET Elevation of Privilege Vulnerability — .NET 8.0 7.3 High2025-10-14
CVE-2025-62363 yt-grabber-tui allows arbitrary code execution via configurable yt-dlp path — YtGrabber-TUI 7.8 High2025-10-13
CVE-2025-62364 text-generation-webui allows arbitrary file read via symbolic link upload — text-generation-webui 6.2 Medium2025-10-13
CVE-2025-9968 ASUS Armoury Crate 安全漏洞 — Armoury Crate 7.8AIHighAI2025-10-13
CVE-2025-11462 Local Privilege Escalation Vulnerability in AWS Client VPN macOS Client — Client VPN 7.8 High2025-10-07
CVE-2025-41421 Privilege Escalation via Symbolic Link Spoofing in TeamViewer Client — Full Client 4.7 Medium2025-10-01
CVE-2025-34191 Vasion Print (formerly PrinterLogic) Arbitrary File Write as Root via Response Path Symlink Follow — Print Virtual Appliance Host 7.1 -2025-09-19
CVE-2025-34194 Vasion Print (formerly PrinterLogic) Local Privilege Escalation via Insecure Temporary File Handling — Print Virtual Appliance Host 7.8 -2025-09-19
CVE-2025-55317 Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability — Microsoft AutoUpdate for Mac 7.8 High2025-09-09
CVE-2025-55245 Xbox Gaming Services Elevation of Privilege Vulnerability — Xbox Gaming Services 7.8 High2025-09-09
CVE-2025-58373 Roo Code: Symlink-bypass of .rooignore can lead to unintended file disclosure — Roo-Code 5.5 Medium2025-09-05
CVE-2025-43726 Dell Alienware Command Center 后置链接漏洞 — Alienware Command Center 5.x (AWCC) 6.7 Medium2025-09-02

Vulnerabilities classified as CWE-59 (在文件访问前对链接解析不恰当(链接跟随)) represent 426 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.