Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-59 (在文件访问前对链接解析不恰当(链接跟随)) — Vulnerability Class 426

426 vulnerabilities classified as CWE-59 (在文件访问前对链接解析不恰当(链接跟随)). AI Chinese analysis included.

CWE-59 represents a critical input validation weakness where software fails to properly resolve symbolic links or shortcuts before accessing a file. Attackers typically exploit this vulnerability by crafting malicious links that point to sensitive system files or directories outside the intended scope. When the application resolves these links without adequate checks, it inadvertently grants access to unauthorized resources, potentially leading to data leakage, privilege escalation, or remote code execution. To mitigate this risk, developers must implement rigorous link resolution controls, ensuring that all file paths are canonicalized and verified against a strict allowlist before any I/O operations occur. Utilizing secure API functions that explicitly handle link following, combined with strict permission checks on the final resolved path, effectively prevents attackers from leveraging symlinks to bypass security boundaries and access unintended system components.

MITRE CWE Description
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Common Consequences (2)
Confidentiality, Integrity, Access ControlRead Files or Directories, Modify Files or Directories, Bypass Protection Mechanism
An attacker may be able to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. If the files are used for a security mechanism then an attacker may be able to bypass the mechanism.
OtherExecute Unauthorized Code or Commands
Windows simple shortcuts, sometimes referred to as soft links, can be exploited remotely since a ".LNK" file can be uploaded like a normal file. This can enable remote execution.
Mitigations (1)
Architecture and DesignFollow the principle of least privilege when assigning access rights to entities in a software system. Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CVE IDTitleCVSSSeverityPublished
CVE-2025-2102 HYPR Passwordless 安全漏洞 — Passwordless 7.8AIHighAI2025-05-21
CVE-2025-3908 OpenVPN 安全漏洞 — OpenVPN 3 Linux 5.5AIMediumAI2025-05-19
CVE-2025-4211 Improper Link Resolution Before File Access in QFileSystemEngine on Windows — Qt 8.4AIHighAI2025-05-16
CVE-2025-29837 Windows Installer Information Disclosure Vulnerability — Windows 10 Version 1507 5.5 Medium2025-05-13
CVE-2025-29975 Microsoft PC Manager Elevation of Privilege Vulnerability — Microsoft PC Manager 7.8 High2025-05-13
CVE-2025-22247 Insecure file handling vulnerability — VMware Tools 6.1 Medium2025-05-12
CVE-2024-9524 Privilege Escalation Vulnerability in Avira Prime Version 1.1.96.2 — Prime 7.8 High2025-05-09
CVE-2024-13962 Link Following Local Privilege Escalation Vulnerability in Avast Cleanup Premium Version 24.2.16593.17810 — CleanUp Premium 7.8 High2025-05-09
CVE-2024-13961 Avast Cleanup Premium TuneupSvc Link Following Local Privilege Escalation Vulnerability — CleanUp Premium 7.8 High2025-05-09
CVE-2024-13960 Link Following Local Privilege Escalation Vulnerability in AVG TuneUp Version 23.4 — TuneUp 7.8 High2025-05-09
CVE-2024-13959 Link Following Local Privilege Escalation Vulnerability in AVG TuneUp 24.2.16593.9844 — TuneUp 7.8 High2025-05-09
CVE-2024-13759 Local Privilege Escalation in Avira Prime 1.1.96.2 on Windows 10 x64 — Prime 7.8 High2025-05-09
CVE-2025-1697 HP Touchpoint Analytics Service – Potential Escalation of Privilege — HP Touchpoint Analytics Service 7.8 -2025-04-18
CVE-2025-32817 SonicWALL Connect Tunnel 安全漏洞 — Connect Tunnel 8.4AIHighAI2025-04-16
CVE-2025-29983 Dell Trusted Device 后置链接漏洞 — Dell Trusted Device Client 6.7 Medium2025-04-15
CVE-2025-23010 SonicWALL NetExtender Windows client 安全漏洞 — NetExtender 7.5AIHighAI2025-04-10
CVE-2025-27727 Windows Installer Elevation of Privilege Vulnerability — Windows 10 Version 1507 7.8 High2025-04-08
CVE-2025-21204 Windows Process Activation Elevation of Privilege Vulnerability — Windows 10 Version 1507 7.8 High2025-04-08
CVE-2025-30371 Metabase vulnerable to circumvention of local link access protection in GeoJson endpoint — metabase 6.1 -2025-03-28
CVE-2024-12905 tar-fs 安全漏洞 7.5 High2025-03-27
CVE-2025-29795 Microsoft Edge (Chromium-based) Update Elevation of Privilege Vulnerability — Microsoft Edge Update Setup 7.8 High2025-03-23
CVE-2024-10986 Local File Read (LFI) by Tarslip Symlink via arxiv_download() API in binary-husky/gpt_academic — binary-husky/gpt_academic 7.5 -2025-03-20
CVE-2024-12390 Remote Code Execution in binary-husky/gpt_academic — binary-husky/gpt_academic 8.8 -2025-03-20
CVE-2024-12216 Arbitrary File Write via TarSlip in dmlc/gluon-cv — dmlc/gluon-cv 6.5 -2025-03-20
CVE-2025-1683 Symbolic Link Exploit in 1E Client's - Nomad module allows Arbitrary File Deletion — 1E Client 7.8 High2025-03-12
CVE-2025-25008 Windows Server Elevation of Privilege Vulnerability — Windows Server 2016 7.1 High2025-03-11
CVE-2025-25185 GPT Academic allows arbitary file read by tarfile uncompress within softlink — gpt_academic 7.5 High2025-03-03
CVE-2020-3432 Cisco AnyConnect Secure Mobility Client for Mac OS File Corruption Vulnerability — Cisco Secure Client 5.5 -2025-02-11
CVE-2025-21373 Windows Installer Elevation of Privilege Vulnerability — Windows 10 Version 1507 7.8 High2025-02-11
CVE-2025-21322 Microsoft PC Manager Elevation of Privilege Vulnerability — Microsoft PC Manager 7.8 High2025-02-11

Vulnerabilities classified as CWE-59 (在文件访问前对链接解析不恰当(链接跟随)) represent 426 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.