CWE-59β€”Improper Link Resolution Before File Access ('Link Following')

PUBLISHEDweakness recordMedium
released 2006-07-19 Β· last modified 2025-12-11

Metadata

CWE ID:
CWE-59
Abstraction:
Base
Structure:
Simple
Status:
Draft
Release Date:
2006-07-19
Latest Modification Date:
2025-12-11

Weakness Name

Improper Link Resolution Before File Access ('Link Following')

Description

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Common Consequences

Scope:
Confidentiality, Integrity, Access Control
Impact:
Read Files or Directories, Modify Files or Directories, Bypass Protection Mechanism
Notes:
An attacker may be able to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. If the files are used for a security mechanism then an attacker may be able to bypass the mechanism.
Scope:
Other
Impact:
Execute Unauthorized Code or Commands
Notes:
Windows simple shortcuts, sometimes referred to as soft links, can be exploited remotely since a ".LNK" file can be uploaded like a normal file. This can enable remote execution.

Related Weaknesses