Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-73 (文件名或路径的外部可控制) — Vulnerability Class 315

315 vulnerabilities classified as CWE-73 (文件名或路径的外部可控制). AI Chinese analysis included.

CWE-73 represents a critical input validation weakness where applications allow external actors to dictate file system paths, potentially leading to unauthorized access or modification of sensitive data. Attackers typically exploit this vulnerability through path traversal techniques, injecting sequences like “../” to escape intended directories and reach critical system files or application configurations. This manipulation occurs when software fails to sanitize user-supplied input before using it in filesystem operations, allowing the attacker to bypass intended access controls. To mitigate this risk, developers must implement rigorous input validation, ensuring that all file paths are strictly checked against a whitelist of allowed directories. Additionally, using canonicalization functions to resolve paths before comparison and employing chroot jails can effectively isolate file access, thereby preventing attackers from navigating outside the designated application sandbox.

MITRE CWE Description
The product allows user input to control or influence paths or file names that are used in filesystem operations. This could allow an attacker to access or modify system files or other files that are critical to the application. Path manipulation errors occur when the following two conditions are met: 1. An attacker can specify a path used in an operation on the filesystem. 2. By specifying the resource, the attacker gains a capability that would not otherwise be permitted. For example, the program may give the attacker the ability to overwrite the specified file or run with a configuration controlled by the attacker.
Common Consequences (3)
Integrity, ConfidentialityRead Files or Directories, Modify Files or Directories
The application can operate on unexpected files. Confidentiality is violated when the targeted filename is not directly readable by the attacker.
Integrity, Confidentiality, AvailabilityModify Files or Directories, Execute Unauthorized Code or Commands
The application can operate on unexpected files. This may violate integrity if the filename is written to, or if the filename is for a program or other form of executable code.
AvailabilityDoS: Crash, Exit, or Restart, DoS: Resource Consumption (Other)
The application can operate on unexpected files. Availability can be violated if the attacker specifies an unexpected file that the application modifies. Availability can also be affected if the attacker specifies a filename for a large file, or points to a special device or a file that does not hav…
Mitigations (5)
Architecture and DesignWhen the set of filenames is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames, and reject all other inputs. For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap provide this capability.
Architecture and Design, OperationRun your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict all access to files within a particular directory. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the oper…
Architecture and DesignFor any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
Effectiveness: High
ImplementationUse a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59).
Examples (2)
The following code uses input from an HTTP request to create a file name. The programmer has not considered the possibility that an attacker could provide a file name such as "../../tomcat/conf/server.xml", which causes the application to delete one of its own configuration files (CWE-22).
String rName = request.getParameter("reportName"); File rFile = new File("/usr/local/apfr/reports/" + rName); ... rFile.delete();
Bad · Java
The following code uses input from a configuration file to determine which file to open and echo back to the user. If the program runs with privileges and malicious users can change the configuration file, they can use the program to read any file on the system that ends with the extension .txt.
fis = new FileInputStream(cfg.getProperty("sub")+".txt"); amt = fis.read(arr); out.println(arr);
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2025-48783 Soar Cloud HRD Human Resource Management System - External Control of File Name or Path — HRD Human Resource Management System 7.5AIHighAI2025-06-06
CVE-2025-48781 Soar Cloud HRD Human Resource Management System - External Control of File Name or Path — HRD Human Resource Management System 5.3AIMediumAI2025-06-06
CVE-2025-32802 Insecure handling of file paths allows multiple local attacks — Kea 6.1 Medium2025-05-28
CVE-2025-4603 eMagicOne Store Manager for WooCommerce <= 1.2.5 - Unauthenticated Arbitrary File Deletion — eMagicOne Store Manager for WooCommerce 9.1 Critical2025-05-24
CVE-2025-4602 eMagicOne Store Manager for WooCommerce <= 1.2.5 - Unauthenticated Arbitrary File Read — eMagicOne Store Manager for WooCommerce 5.9 Medium2025-05-24
CVE-2024-51553 Predictable Filename — ASPECT-Enterprise 6.5 Medium2025-05-22
CVE-2025-2409 Admin Authorized System File corruption — ASPECT-Enterprise 9.1 Critical2025-05-22
CVE-2025-3812 WPBot Pro Wordpress Chatbot <= 13.6.2 - Authenticated (Subscriber+) Arbitrary File Deletion — WPBot Pro Wordpress Chatbot 8.1 High2025-05-17
CVE-2025-26646 .NET, Visual Studio, and Build Tools for Visual Studio Spoofing Vulnerability — .NET 8.0 8.0 High2025-05-13
CVE-2025-26684 Microsoft Defender Elevation of Privilege Vulnerability — Microsoft Defender for Endpoint for Linux 6.7 Medium2025-05-13
CVE-2025-3419 Event Manager, Events Calendar, Tickets, Registrations – Eventin <= 4.0.26 - Unauthenticated Arbitrary File Read — Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) 7.5 High2025-05-08
CVE-2025-46762 Apache Parquet Java: Potential malicious code execution from trusted packages in the parquet-avro module when reading an Avro schema from a Parquet file metadata — Apache Parquet Java 9.8AICriticalAI2025-05-06
CVE-2025-1056 AXIS Camera Station Pro 安全漏洞 — AXIS Camera Station Pro 6.1 Medium2025-04-23
CVE-2025-3103 CLEVER - HTML5 Radio Player With History - Shoutcast and Icecast - Elementor Widget Addon <= 2.4 - Unauthenticated Arbitrary File Read — CLEVER - HTML5 Radio Player With History - Shoutcast and Icecast - Elementor Widget Addon 7.5 High2025-04-19
CVE-2025-0124 PAN-OS: Authenticated File Deletion Vulnerability on the Management Web Interface — Cloud NGFW 7.1AIHighAI2025-04-11
CVE-2025-29819 Windows Admin Center in Azure Portal Information Disclosure Vulnerability — Windows Admin Center 6.2 Medium2025-04-08
CVE-2025-3431 ZoomSounds - WordPress Wave Audio Player with Playlist <= 6.91 - Unauthenticated Arbitrary File Download — ZoomSounds - WordPress Wave Audio Player with Playlist 7.5 High2025-04-08
CVE-2025-2004 Simple WP Events <= 1.8.17 - Unauthenticated Arbitrary File Deletion — Simple WP Events 9.1 Critical2025-04-08
CVE-2025-2982 Legrand SMS PowerView file inclusion — SMS PowerView 6.3 Medium2025-03-31
CVE-2025-1911 Product Import Export for WooCommerce <= 2.5.0 - Directory Traversal to Authenticated (Administrator+) Limited Arbitrary File Deletion via admin_log_page Function — Product Import Export for WooCommerce – Import Export Product CSV Suite 2.7 Low2025-03-26
CVE-2024-10210 Path traversal in APROL Web Portal — APROL 6.5AIMediumAI2025-03-25
CVE-2025-1972 Export and Import Users and Customers <= 2.6.2 - Directory Traversal to Authenticated (Administrator+) Limited Arbitrary File Deletion via admin_log_page Function — Export and Import Users and Customers 2.7 Low2025-03-22
CVE-2024-13922 Order Export & Order Import for WooCommerce <= 2.6.0 - Directory Traversal to Authenticated (Administrator+) Limited Arbitrary File Deletion via admin_log_page Function — Order Export & Order Import for WooCommerce 2.7 Low2025-03-20
CVE-2024-10834 Arbitrary File Write in eosphoros-ai/db-gpt — eosphoros-ai/db-gpt 9.1 -2025-03-20
CVE-2024-6829 Arbitrary File Overwrite through tarfile-extraction in aimhubio/aim — aimhubio/aim 6.5 -2025-03-20
CVE-2024-8616 Arbitrary File Overwrite in h2oai/h2o-3 — h2oai/h2o-3 8.6 -2025-03-20
CVE-2024-11042 Arbitrary File Delete in invoke-ai/invokeai — invoke-ai/invokeai 9.1 -2025-03-20
CVE-2025-0452 Arbitrary File Deletion in eosphoros-ai/DB-GPT — eosphoros-ai/db-gpt 9.1 -2025-03-20
CVE-2025-29930 imFAQ allows local file inclusion in seo.php — imfaq 6.5 -2025-03-18
CVE-2023-45588 Fortinet FortiClientMAC 安全漏洞 — FortiClientMac 7.8 High2025-03-14

Vulnerabilities classified as CWE-73 (文件名或路径的外部可控制) represent 315 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.