Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-59 (在文件访问前对链接解析不恰当(链接跟随)) — Vulnerability Class 426

426 vulnerabilities classified as CWE-59 (在文件访问前对链接解析不恰当(链接跟随)). AI Chinese analysis included.

CWE-59 represents a critical input validation weakness where software fails to properly resolve symbolic links or shortcuts before accessing a file. Attackers typically exploit this vulnerability by crafting malicious links that point to sensitive system files or directories outside the intended scope. When the application resolves these links without adequate checks, it inadvertently grants access to unauthorized resources, potentially leading to data leakage, privilege escalation, or remote code execution. To mitigate this risk, developers must implement rigorous link resolution controls, ensuring that all file paths are canonicalized and verified against a strict allowlist before any I/O operations occur. Utilizing secure API functions that explicitly handle link following, combined with strict permission checks on the final resolved path, effectively prevents attackers from leveraging symlinks to bypass security boundaries and access unintended system components.

MITRE CWE Description
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Common Consequences (2)
Confidentiality, Integrity, Access ControlRead Files or Directories, Modify Files or Directories, Bypass Protection Mechanism
An attacker may be able to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. If the files are used for a security mechanism then an attacker may be able to bypass the mechanism.
OtherExecute Unauthorized Code or Commands
Windows simple shortcuts, sometimes referred to as soft links, can be exploited remotely since a ".LNK" file can be uploaded like a normal file. This can enable remote execution.
Mitigations (1)
Architecture and DesignFollow the principle of least privilege when assigning access rights to entities in a software system. Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CVE IDTitleCVSSSeverityPublished
CVE-2025-21347 Windows Deployment Services Denial of Service Vulnerability — Windows 10 Version 1507 6.0 Medium2025-02-11
CVE-2025-21420 Windows Disk Cleanup Tool Elevation of Privilege Vulnerability — Windows 10 Version 1507 7.8 High2025-02-11
CVE-2025-21419 Windows Setup Files Cleanup Elevation of Privilege Vulnerability — Windows 10 Version 1507 7.1 High2025-02-11
CVE-2025-21391 Windows Storage Elevation of Privilege Vulnerability — Windows 10 Version 1507 7.1 High2025-02-11
CVE-2025-21188 Azure Network Watcher VM Extension Elevation of Privilege Vulnerability — Azure Network Watcher VM Extension 6.0 Medium2025-02-11
CVE-2025-0413 Parallels Desktop Technical Data Reporter Link Following Local Privilege Escalation Vulnerability — Desktop 7.8 -2025-02-04
CVE-2025-0146 Zoom Workplace app for macOS - Symlink Following — Zoom Workplace app for macOS 3.9 Low2025-01-30
CVE-2025-0377 HashiCorp go-slug Vulnerable to Zip Slip Attack — Shared library 7.5 High2025-01-21
CVE-2025-21331 Windows Installer Elevation of Privilege Vulnerability — Windows 10 Version 1507 7.3 High2025-01-14
CVE-2025-21274 Windows Event Tracing Denial of Service Vulnerability — Windows 10 Version 1507 5.5 Medium2025-01-14
CVE-2024-52050 Trend Micro Apex One 安全漏洞 — Trend Micro Apex One 7.8 High2024-12-31
CVE-2024-12753 Foxit PDF Reader Link Following Local Privilege Escalation Vulnerability — PDF Reader 7.8 -2024-12-30
CVE-2024-13043 Panda Security Dome Link Following Local Privilege Escalation Vulnerability — Dome 7.8 -2024-12-30
CVE-2024-12754 AnyDesk Link Following Information Disclosure Vulnerability — AnyDesk 5.5 -2024-12-30
CVE-2024-12552 Wacom Center WTabletServicePro Link Following Local Privilege Escalation Vulnerability — Center 7.8 -2024-12-13
CVE-2024-49107 WmsRepair Service Elevation of Privilege Vulnerability — Windows 10 Version 1809 7.3 High2024-12-10
CVE-2024-49059 Microsoft Office Elevation of Privilege Vulnerability — Microsoft Office 2019 7.0 High2024-12-10
CVE-2024-37143 Dell PowerFlex 后置链接漏洞 — Dell PowerFlex appliance 10.0 Critical2024-12-10
CVE-2024-50404 Qsync Central — Qsync Central 5.7 -2024-12-06
CVE-2024-53691 QTS, QuTS hero — QTS 5.7 -2024-12-06
CVE-2024-22038 DoS attacks, information leaks etc. with crafted Git repositories in obs-scm-bridge — openSUSE Factory 7.3 High2024-11-28
CVE-2024-7242 Panda Security Dome Link Following Local Privilege Escalation Vulnerability — Dome 7.8 -2024-11-22
CVE-2024-7241 Panda Security Dome Link Following Local Privilege Escalation Vulnerability — Dome 7.8 -2024-11-22
CVE-2024-7243 Panda Security Dome Link Following Local Privilege Escalation Vulnerability — Dome 7.8 -2024-11-22
CVE-2024-7240 F-Secure Total Link Following Local Privilege Escalation Vulnerability — Total 6.5 -2024-11-22
CVE-2024-7238 VIPRE Advanced Security SBAMSvc Link Following Local Privilege Escalation Vulnerability — Advanced Security 7.8 -2024-11-22
CVE-2024-7239 VIPRE Advanced Security Link Following Local Privilege Escalation Vulnerability — Advanced Security 7.8 -2024-11-22
CVE-2024-7236 AVG AntiVirus Free icarus Arbitrary File Creation Denial of Service Vulnerability — AntiVirus Free 5.5 -2024-11-22
CVE-2024-7234 AVG AntiVirus Free AVGSvc Link Following Local Privilege Escalation Vulnerability — AntiVirus Free 7.8 -2024-11-22
CVE-2024-7237 AVG AntiVirus Free AVGSvc Link Following Local Privilege Escalation Vulnerability — AntiVirus Free 7.8 -2024-11-22

Vulnerabilities classified as CWE-59 (在文件访问前对链接解析不恰当(链接跟随)) represent 426 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.