Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-59 (在文件访问前对链接解析不恰当(链接跟随)) — Vulnerability Class 426

426 vulnerabilities classified as CWE-59 (在文件访问前对链接解析不恰当(链接跟随)). AI Chinese analysis included.

CWE-59 represents a critical input validation weakness where software fails to properly resolve symbolic links or shortcuts before accessing a file. Attackers typically exploit this vulnerability by crafting malicious links that point to sensitive system files or directories outside the intended scope. When the application resolves these links without adequate checks, it inadvertently grants access to unauthorized resources, potentially leading to data leakage, privilege escalation, or remote code execution. To mitigate this risk, developers must implement rigorous link resolution controls, ensuring that all file paths are canonicalized and verified against a strict allowlist before any I/O operations occur. Utilizing secure API functions that explicitly handle link following, combined with strict permission checks on the final resolved path, effectively prevents attackers from leveraging symlinks to bypass security boundaries and access unintended system components.

MITRE CWE Description
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Common Consequences (2)
Confidentiality, Integrity, Access ControlRead Files or Directories, Modify Files or Directories, Bypass Protection Mechanism
An attacker may be able to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. If the files are used for a security mechanism then an attacker may be able to bypass the mechanism.
OtherExecute Unauthorized Code or Commands
Windows simple shortcuts, sometimes referred to as soft links, can be exploited remotely since a ".LNK" file can be uploaded like a normal file. This can enable remote execution.
Mitigations (1)
Architecture and DesignFollow the principle of least privilege when assigning access rights to entities in a software system. Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CVE IDTitleCVSSSeverityPublished
CVE-2025-57749 n8n has a symlink traversal vulnerability in "Read/Write File" node allows access to restricted files — n8n 6.5 Medium2025-08-20
CVE-2025-8612 AOMEI Backupper Workstation Link Following Local Privilege Escalation Vulnerability — Backupper Workstation 7.3 -2025-08-20
CVE-2025-5296 Schneider Electric SESU 后置链接漏洞 — SESU 7.3 High2025-08-18
CVE-2025-8959 HashiCorp go-getter Vulnerable to Arbitrary Read through Symlink Attack — Shared library 7.5 High2025-08-15
CVE-2025-43490 HP Hotkey Support – Escalation of Privilege — HP Hotkey Support Software 7.8AIHighAI2025-08-15
CVE-2025-55188 7-Zip 安全漏洞 — 7-Zip 3.6 Low2025-08-08
CVE-2025-54798 tmp does not restrict arbitrary temporary file / directory write via symbolic link `dir` parameter — node-tmp 2.5 Low2025-08-07
CVE-2025-36611 Dell Security Management Server和Dell Encryption 后置链接漏洞 — Encryption 7.3 High2025-07-30
CVE-2025-23267 NVIDIA Container Toolkit 后置链接漏洞 — Container Toolkit 8.5 High2025-07-17
CVE-2025-7012 Cato Networks Linux Client Local Privilege Escalation via Symlink — Cato Client 7.8AIHighAI2025-07-13
CVE-2025-49739 Visual Studio Elevation of Privilege Vulnerability — Microsoft Visual Studio 2015 Update 3 8.8 High2025-07-08
CVE-2025-49738 Microsoft PC Manager Elevation of Privilege Vulnerability — Microsoft PC Manager 7.8 High2025-07-08
CVE-2025-49680 Windows Performance Recorder (WPR) Denial of Service Vulnerability — Windows 10 Version 1507 7.3 High2025-07-08
CVE-2025-48820 Windows AppX Deployment Service Elevation of Privilege Vulnerability — Windows 10 Version 1507 7.8 High2025-07-08
CVE-2025-48799 Windows Update Service Elevation of Privilege Vulnerability — Windows 10 Version 1607 7.8 High2025-07-08
CVE-2025-21195 Azure Service Fabric Runtime Elevation of Privilege Vulnerability — Service Fabric 6.0 Medium2025-07-08
CVE-2025-41668 Phoenix Contact: File access due to the replacement of a critical file used by the service security-profile — AXC F 1152 8.8 High2025-07-08
CVE-2025-41667 Phoenix Contact: File access due to the replacement of a critical file used by the arp-preinit script — AXC F 1152 8.8 High2025-07-08
CVE-2025-41666 Phoenix Contact: File access due to the replacement of a critical file used by the watchdog — AXC F 1152 8.8 High2025-07-08
CVE-2025-53109 Model Context Protocol Servers Vulnerable to Path Validation Bypass via Prefix Matching and Symlink Handling — servers 4.3AIMediumAI2025-07-02
CVE-2025-3771 Trellix System Information Reporter 安全漏洞 — System Information Reporter 7.1AIHighAI2025-06-26
CVE-2025-52936 Improper Link Resolution Before File Access vulnerability in yrutschle/sslh — sslh 8.2AIHighAI2025-06-23
CVE-2025-30642 Trend Micro Deep Security 安全漏洞 — Trend Micro Deep Security 5.5 Medium2025-06-17
CVE-2025-30641 Trend Micro Deep Security 安全漏洞 — Trend Micro Deep Security 7.8 High2025-06-17
CVE-2025-30640 Trend Micro Deep Security 安全漏洞 — Trend Micro Deep Security 7.8 High2025-06-17
CVE-2025-33075 Windows Installer Elevation of Privilege Vulnerability — Windows 10 Version 1507 7.8 High2025-06-10
CVE-2025-32721 Windows Recovery Driver Elevation of Privilege Vulnerability — Windows 10 Version 1507 7.3 High2025-06-10
CVE-2025-5474 2BrightSparks SyncBackFree Link Following Local Privilege Escalation Vulnerability — SyncBackFree 7.3AIHighAI2025-06-06
CVE-2024-11857 Realtek Bluetooth HCI Adaptor - Privilege Escalation — Bluetooth HCI Adaptor 7.8 High2025-06-02
CVE-2025-47181 Microsoft Edge (Chromium-based) Update Elevation of Privilege Vulnerability — Microsoft Edge (Chromium-based) Updater 8.8 High2025-05-22

Vulnerabilities classified as CWE-59 (在文件访问前对链接解析不恰当(链接跟随)) represent 426 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.