CWE-59βImproper Link Resolution Before File Access ('Link Following')
PUBLISHEDweakness recordMedium
released 2006-07-19 Β· last modified 2025-12-11
Metadata
- CWE ID:
- CWE-59
- Abstraction:
- Base
- Structure:
- Simple
- Status:
- Draft
- Release Date:
- 2006-07-19
- Latest Modification Date:
- 2025-12-11
Weakness Name
Improper Link Resolution Before File Access ('Link Following')
Description
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Common Consequences
- Scope:
- Confidentiality, Integrity, Access Control
- Impact:
- Read Files or Directories, Modify Files or Directories, Bypass Protection Mechanism
- Notes:
- An attacker may be able to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. If the files are used for a security mechanism then an attacker may be able to bypass the mechanism.
- Scope:
- Other
- Impact:
- Execute Unauthorized Code or Commands
- Notes:
- Windows simple shortcuts, sometimes referred to as soft links, can be exploited remotely since a ".LNK" file can be uploaded like a normal file. This can enable remote execution.