Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-641 (文件和其他资源名称限制不恰当) — Vulnerability Class 11

11 vulnerabilities classified as CWE-641 (文件和其他资源名称限制不恰当). AI Chinese analysis included.

CWE-641 represents a critical input validation weakness where applications construct file or resource names using untrusted upstream data without adequate restriction. Attackers typically exploit this vulnerability by injecting malicious characters, such as path traversal sequences or scripting symbols, into the input stream. This manipulation allows adversaries to access restricted system files, execute arbitrary code in the client’s browser, or overwrite critical application resources. To mitigate this risk, developers must implement strict input sanitization and validation protocols. By enforcing allowlists for acceptable characters and normalizing paths before processing, engineers can prevent the interpretation of special symbols as functional commands. Additionally, utilizing secure APIs that handle resource naming internally further reduces the attack surface, ensuring that external inputs are treated strictly as data rather than executable instructions or structural directives.

MITRE CWE Description
The product constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting name. This may produce resultant weaknesses. For instance, if the names of these resources contain scripting characters, it is possible that a script may get executed in the client's browser if the application ever displays the name of the resource on a dynamically generated web page. Alternately, if the resources are consumed by some application parser, a specially crafted name can exploit some vulnerability internal to the parser, potentially resulting in execution of arbitrary code on the server machine. The problems will vary based on the context of usage of such malformed resource names and whether vulnerabilities are present in or assumptions are made by the targeted technology that would make code execution possible.
Common Consequences (2)
Integrity, Confidentiality, AvailabilityExecute Unauthorized Code or Commands
Execution of arbitrary code in the context of usage of the resources with dangerous names.
Confidentiality, AvailabilityRead Application Data, DoS: Crash, Exit, or Restart
Crash of the consumer code of these resources resulting in information leakage or denial of service.
Mitigations (3)
Architecture and DesignDo not allow users to control names of resources used on the server side.
Architecture and DesignPerform allowlist input validation at entry points and also before consuming the resources. Reject bad file names rather than trying to cleanse them.
Architecture and DesignMake sure that technologies consuming the resources are not vulnerable (e.g. buffer overflow, format string, etc.) in a way that would allow code execution if the name of the resource is malformed.
CVE IDTitleCVSSSeverityPublished
CVE-2019-25623 Luminance Studio 2.17 Denial of Service via Malformed Input — Luminance Studio 6.2 Medium2026-03-23
CVE-2026-25177 Active Directory Domain Services Elevation of Privilege Vulnerability — Windows 10 Version 1607 8.8 High2026-03-10
CVE-2025-47173 Microsoft Office Remote Code Execution Vulnerability — Microsoft 365 Apps for Enterprise 7.8 High2025-06-10
CVE-2025-47953 Microsoft Office Remote Code Execution Vulnerability — Microsoft 365 Apps for Enterprise 8.4 High2025-06-10
CVE-2024-47260 AXIS OS 安全漏洞 — AXIS OS 6.5 Medium2025-03-04
CVE-2025-21402 Microsoft Office OneNote Remote Code Execution Vulnerability — Microsoft Office LTSC for Mac 2021 7.8 High2025-01-14
CVE-2025-21361 Microsoft Outlook Remote Code Execution Vulnerability — Microsoft Office LTSC for Mac 2021 7.8 High2025-01-14
CVE-2024-45312 Arbitrary language parameter can passed to `aspell` executable via spelling requests in overleaf — overleaf 5.3 Medium2024-09-02
CVE-2024-30063 Windows Distributed File System (DFS) Remote Code Execution Vulnerability — Windows 10 Version 1809 6.7 Medium2024-06-11
CVE-2023-0046 Improper Restriction of Names for Files and Other Resources in lirantal/daloradius — lirantal/daloradius 7.2 -2023-01-04
CVE-2022-36302 Bosch BF-OS 注入漏洞 — BF-OS 8.8 High2022-08-01

Vulnerabilities classified as CWE-641 (文件和其他资源名称限制不恰当) represent 11 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.