CWE-425: Direct Request ('Forced Browsing')
Also known as: forced browsing
The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.
Last updated
Overview
CWE-425 (Direct Request ('Forced Browsing')) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Real-world CVEs
101 recorded CVEs are caused by CWE-425 (Direct Request ('Forced Browsing')), including 2 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 16 new CWE-425 CVEs have been recorded so far in 2026 (28 in 2025).
- CVE-2024-45195CISA KEV
Apache OFBiz: Confused controller-view authorization logic (forced browsing)
Critical · CVSS 9.3 · EPSS 100th2024-09-04 - CVE-2021-26085CISA KEVMedium · CVSS 6.9 · EPSS 100th2021-08-03
- CVE-2018-3774Critical · CVSS 10.0 · EPSS 89th2018-08-12
- CVE-2025-26689Critical · CVSS 9.8 · EPSS 63th2025-03-31
- CVE-2024-24592Critical · CVSS 9.8 · EPSS 58th2024-02-06
- CVE-2024-0204Critical · CVSS 9.8 · EPSS 100th2024-01-22
- CVE-2023-2524Critical · CVSS 9.8 · EPSS 36th2023-05-04
- CVE-2023-1699Critical · CVSS 9.8 · EPSS 36th2023-03-30
- CVE-2022-45276Critical · CVSS 9.8 · EPSS 53th2022-11-23
- CVE-2025-52024Critical · CVSS 9.4 · EPSS 33th2026-01-23
- CVE-2025-55736
flaskBlog allows arbitrary privilege escalation
Critical · CVSS 9.3 · EPSS 16th2025-08-19 - CVE-2025-1542
Improper permission control in OXARI ServiceDesk
Critical · CVSS 9.3 · EPSS 30th2025-03-26
Showing 12 of 101 recorded CWE-425 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-425 vulnerabilitiesCommon consequences
What can happen when CWE-425 is exploited.
Read Application Data, Modify Application Data, Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity
Affects: Confidentiality, Integrity, Availability, Access Control
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Technologies
How to prevent it
Practical mitigations for CWE-425, grouped by where in the lifecycle they apply.
Apply appropriate access control authorizations for each access to all restricted URLs, scripts or files.
Consider using MVC based frameworks such as Struts.
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
If forced browsing is possible, an attacker may be able to directly access a sensitive page by entering a URL similar to the following.
Attack input
http://somesite.com/someapplication/admin.jspIllustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2022-29238 — Access-control setting in web-based document collaboration tool is not properly implemented by the code, which prevents listing hidden directories but does not prevent direct requests to files in those directories.
- CVE-2004-2144 — Bypass authentication via direct request.
- CVE-2005-1892 — Infinite loop or infoleak triggered by direct requests.
- CVE-2004-2257 — Bypass auth/auth via direct request.
- CVE-2005-1688 — Direct request leads to infoleak by error.
- CVE-2005-1697 — Direct request leads to infoleak by error.
- CVE-2005-1698 — Direct request leads to infoleak by error.
- CVE-2005-1685 — Authentication bypass via direct request.
- CVE-2005-1827 — Authentication bypass via direct request.
- CVE-2005-1654 — Authorization bypass using direct request.
- CVE-2005-1668 — Access privileged functionality using direct request.
- CVE-2002-1798 — Upload arbitrary files via direct request.
Terminology & mappings
Alternate terms
- forced browsing
- The "forced browsing" term could be misinterpreted to include weaknesses such as CSRF or XSS, so its use is discouraged.
Mapped taxonomies
- PLOVER: Direct Request aka 'Forced Browsing'
- OWASP Top Ten 2007: Failure to Restrict URL Access (A10) — CWE More Specific fit
- OWASP Top Ten 2004: Unvalidated Input (A1) — CWE More Specific fit
- OWASP Top Ten 2004: Broken Access Control (A2) — CWE More Specific fit
- WASC: Predictable Resource Location (34)
- Software Fault Patterns: Missing endpoint authentication (SFP30)
Attack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-425.
- What is CWE-425?
- The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.
- What CVEs are caused by CWE-425?
- 101 recorded CVEs are attributed to CWE-425, including CVE-2024-45195, CVE-2021-26085, CVE-2018-3774. 2 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- Is CWE-425 part of the OWASP Top 10?
- CWE-425 maps to OWASP Top Ten 2007: Failure to Restrict URL Access (A10) in the OWASP security taxonomy.
- How do you prevent CWE-425?
- Apply appropriate access control authorizations for each access to all restricted URLs, scripts or files.
- What are the consequences of CWE-425?
- Exploiting CWE-425 can lead to: Read Application Data, Modify Application Data, Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity.
- Is CWE-425 actively exploited?
- Yes. 2 CWE-425 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 101 recorded CVEs.
References
- MITRE CWE definition (CWE-425) (opens in a new tab)
- CWE-425 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-425
Get alerted the moment a new CWE-425 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.