1. Home
  2. CWE Database
  3. CWE-61
Compound · Complex

CWE-61: UNIX Symbolic Link (Symlink) Following

The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an...

CWE-61 · Compound Level ·13 CVEs ·2 Mitigations

Description

The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.

A product that allows UNIX symbolic links (symlink) as part of paths whether in internal code or through user input can allow an attacker to spoof the symbolic link and traverse the file system to unintended locations or access arbitrary files. The symbolic link can permit an attacker to read/write/corrupt a file that they originally did not have permissions to access.

Potential Impact

Confidentiality, Integrity

Read Files or Directories, Modify Files or Directories

Mitigations & Prevention

Implementation

Symbolic link attacks often occur when a program creates a tmp directory that stores files/links. Access to the directory should be restricted to the program as to prevent attackers from manipulating the files.

Architecture and Design

Follow the principle of least privilege when assigning access rights to entities in a software system. Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.

Detection Methods

  • Automated Static Analysis — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-1999-1386Some versions of Perl follow symbolic links when running with the -e option, which allows local users to overwrite arbitrary files via a symlink attack.
CVE-2000-1178Text editor follows symbolic links when creating a rescue copy during an abnormal exit, which allows local users to overwrite the files of other users.
CVE-2004-0217Antivirus update allows local users to create or append to arbitrary files via a symlink attack on a logfile.
CVE-2003-0517Symlink attack allows local users to overwrite files.
CVE-2004-0689Possible interesting example
CVE-2005-1879Second-order symlink vulnerabilities
CVE-2005-1880Second-order symlink vulnerabilities
CVE-2005-1916Symlink in Python program
CVE-2000-0972Setuid product allows file reading by replacing a file being edited with a symlink to the targeted file, leaking the result in error messages when parsing fails.
CVE-2005-0824Signal causes a dump that follows symlinks.
CVE-2015-3629A Libcontainer used in Docker Engine allows local users to escape containerization and write to an arbitrary file on the host system via a symlink attack in an image when respawning a container.
CVE-2020-26277In a MySQL database deployment tool, users may craft a maliciously packaged tarball that contains symlinks to files external to the target and once unpacked, will execute.
CVE-2021-21272"Zip Slip" vulnerability in Go-based Open Container Initiative (OCI) registries product allows writing arbitrary files outside intended directory via symbolic links or hard links in a gzipped tarball.

CWE-59: Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identif...

CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a ti...

CWE-340: Generation of Predictable Numbers or Identifiers

The product uses a scheme that generates numbers or identifiers that are more predictable than required.

CWE-386: Symbolic Name not Mapping to Correct Object

A constant symbolic reference to an object is used, even though the reference can resolve to a different object over tim...

CWE-732: Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modi...

Taxonomy Mappings

  • PLOVER: — UNIX symbolic link following

Frequently Asked Questions

What is CWE-61?

CWE-61 (UNIX Symbolic Link (Symlink) Following) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Compound-level weakness. The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an...

How can CWE-61 be exploited?

Attackers can exploit CWE-61 (UNIX Symbolic Link (Symlink) Following) to read files or directories, modify files or directories. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-61?

Key mitigations include: Symbolic link attacks often occur when a program creates a tmp directory that stores files/links. Access to the directory should be restricted to the program as to prevent attackers from manipulating

What is the severity of CWE-61?

CWE-61 is classified as a Compound-level weakness (Complex abstraction). It has been observed in 13 real-world CVEs.