Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-647 (使用未经净化的URL路径进行授权决策) — Vulnerability Class 6

6 vulnerabilities classified as CWE-647 (使用未经净化的URL路径进行授权决策). AI Chinese analysis included.

CWE-647 represents a critical authorization weakness where applications rely on non-canonical URL representations to enforce security policies. This flaw occurs when software assumes a requested URL is unique or standardized, failing to normalize paths before evaluating access rights. Attackers typically exploit this by submitting obfuscated or redundant URL variations, such as using double slashes, dot-dot sequences, or case mismatches, to bypass intended restrictions and access protected resources. To mitigate this risk, developers must implement robust input normalization routines that convert all incoming URLs into a strict canonical format before processing authorization logic. By ensuring that every request is evaluated against a consistent, standardized path representation, organizations can effectively prevent attackers from leveraging URL ambiguities to circumvent security controls and maintain the integrity of their access management systems.

MITRE CWE Description
The product defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to bypass the authorization. If an application defines policy namespaces and makes authorization decisions based on the URL, but it does not require or convert to a canonical URL before making the authorization decision, then it opens the application to attack. For example, if the application only wants to allow access to http://www.example.com/mypage, then the attacker might be able to bypass this restriction using equivalent URLs such as: http://WWW.EXAMPLE.COM/mypage http://www.example.com/%6Dypage (alternate encoding) http://192.168.1.1/mypage (IP address) http://www.example.com/mypage/ (trailing /) http://www.example.com:80/mypage Therefore it is important to specify access control policy that is based on the path information in some canonical form with all alternate encodings rejected (which can be accomplished by a default deny rule).
Common Consequences (2)
Access ControlBypass Protection Mechanism
An attacker may be able to bypass the authorization mechanism to gain access to the otherwise-protected URL.
ConfidentialityRead Files or Directories
If a non-canonical URL is used, the server may choose to return the contents of the file, instead of pre-processing the file (e.g. as a program).
Mitigations (2)
Architecture and DesignMake access control policy based on path information in canonical form. Use very restrictive regular expressions to validate that the path is in the expected form.
Architecture and DesignReject all alternate path encodings that are not in the expected canonical form.
Examples (1)
Example from CAPEC (CAPEC ID: 4, "Using Alternative IP Address Encodings"). An attacker identifies an application server that applies a security policy based on the domain and application name, so the access control policy covers authentication and authorization for anyone accessing http://example.domain:8080/application. However, by putting in the IP address of the host the application authentica…
CVE IDTitleCVSSSeverityPublished
CVE-2025-9909 Aap-gateway: improper path validation in gateway allows credential exfiltration — Red Hat Ansible Automation Platform 2.5 for RHEL 8 6.7 Medium2026-02-27
CVE-2025-66202 Astro has an Authentication Bypass via Double URL Encoding, a bypass for CVE-2025-64765 — astro 6.5 Medium2025-12-08
CVE-2025-64500 Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass — symfony 7.3 High2025-11-12
CVE-2025-47241 Browser Use 安全漏洞 — browser-use 4.0 Medium2025-05-03
CVE-2025-43916 Sonos api.sonos.com 安全漏洞 — api.sonos.com 3.4 Low2025-04-21
CVE-2022-43939 Hitachi Vantara Pentaho Business Analytics Server - Use of Non-Canonical URL Paths for Authorization Decisions — Pentaho Business Analytics Server 8.6 High2023-04-03

Vulnerabilities classified as CWE-647 (使用未经净化的URL路径进行授权决策) represent 6 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.