The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

What CVEs are caused by CWE-59?

561 recorded CVEs are attributed to CWE-59, including CVE-2025-60710, CVE-2022-21999, CVE-2019-1385. 20 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

How do you prevent CWE-59?

Follow the principle of least privilege when assigning access rights to entities in a software system.

How is CWE-59 detected?

Automated Static Analysis - Binary or Bytecode: According to SOAR [REF-1479], the following detection techniques may be useful:

What are the consequences of CWE-59?

Exploiting CWE-59 can lead to: Read Files or Directories, Modify Files or Directories, Bypass Protection Mechanism, Execute Unauthorized Code or Commands.

Is CWE-59 actively exploited?

Yes. 20 CWE-59 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 561 recorded CVEs.

CWE-59: Improper Link Resolution Before File Access ('Link Following') (insecure temporary file)

Illustrative examples

Real CVEs that MITRE cites as examples of this weakness.

CVE-1999-1386 — Some versions of Perl follow symbolic links when running with the -e option, which allows local users to overwrite arbitrary files via a symlink attack.
CVE-2000-1178 — Text editor follows symbolic links when creating a rescue copy during an abnormal exit, which allows local users to overwrite the files of other users.
CVE-2004-0217 — Antivirus update allows local users to create or append to arbitrary files via a symlink attack on a logfile.
CVE-2003-0517 — Symlink attack allows local users to overwrite files.
CVE-2004-0689 — Window manager does not properly handle when certain symbolic links point to "stale" locations, which could allow local users to create or truncate arbitrary files.
CVE-2005-1879 — Second-order symlink vulnerabilities
CVE-2005-1880 — Second-order symlink vulnerabilities
CVE-2005-1916 — Symlink in Python program
CVE-2000-0972 — Setuid product allows file reading by replacing a file being edited with a symlink to the targeted file, leaking the result in error messages when parsing fails.
CVE-2005-0824 — Signal causes a dump that follows symlinks.
CVE-2001-1494 — Hard link attack, file overwrite; interesting because program checks against soft links
CVE-2002-0793 — Hard link and possibly symbolic link following vulnerabilities in embedded operating system allow local users to overwrite arbitrary files.
CVE-2003-0578 — Server creates hard links and unlinks files as root, which allows local users to gain privileges by deleting and overwriting arbitrary files.
CVE-1999-0783 — Operating system allows local users to conduct a denial of service by creating a hard link from a device special file to a file on an NFS file system.
CVE-2004-1603 — Web hosting manager follows hard links, which allows local users to read or modify arbitrary files.
CVE-2004-1901 — Package listing system allows local users to overwrite arbitrary files via a hard link attack on the lockfiles.
CVE-2005-1111 — Hard link race condition
CVE-2000-0342 — Mail client allows remote attackers to bypass the user warning for executable attachments such as .exe, .com, and .bat by using a .lnk file that refers to the attachment, aka "Stealth Attachment."
CVE-2001-1042 — FTP server allows remote attackers to read arbitrary files and directories by uploading a .lnk (link) file that points to the target file.
CVE-2001-1043 — FTP server allows remote attackers to read arbitrary files and directories by uploading a .lnk (link) file that points to the target file.
CVE-2005-0587 — Browser allows remote malicious web sites to overwrite arbitrary files by tricking the user into downloading a .LNK (link) file twice, which overwrites the file that was referenced in the first .LNK file.
CVE-2001-1386 — ".LNK." - .LNK with trailing dot
CVE-2003-1233 — Rootkits can bypass file access restrictions to Windows kernel directories using NtCreateSymbolicLinkObject function to create symbolic link
CVE-2002-0725 — File system allows local attackers to hide file usage activities via a hard link to the target file, which causes the link to be recorded in the audit trail instead of the target file.
CVE-2003-0844 — Web server plugin allows local users to overwrite arbitrary files via a symlink attack on predictable temporary filenames.
CVE-2015-3629 — A Libcontainer used in Docker Engine allows local users to escape containerization and write to an arbitrary file on the host system via a symlink attack in an image when respawning a container.
CVE-2021-21272 — "Zip Slip" vulnerability in Go-based Open Container Initiative (OCI) registries product allows writing arbitrary files outside intended directory via symbolic links or hard links in a gzipped tarball.
CVE-2020-27833 — "Zip Slip" vulnerability in container management product allows writing arbitrary files outside intended directory via a container image (.tar format) with filenames that are symbolic links that point to other files within the same tar file; however, the files being pointed to can also be symbolic links to destinations outside the intended directory, bypassing the initial check.

CWE-59: Improper Link Resolution Before File Access ('Link Following')

Overview

Background

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis - Binary or Bytecode

Manual Static Analysis - Binary or Bytecode

Dynamic Analysis with Automated Results Interpretation

Dynamic Analysis with Manual Results Interpretation

Manual Static Analysis - Source Code

Automated Static Analysis - Source Code

Architecture or Design Review

Illustrative examples

Terminology & mappings

Alternate terms

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-59?

What CVEs are caused by CWE-59?

How do you prevent CWE-59?

How is CWE-59 detected?

What are the consequences of CWE-59?

Is CWE-59 actively exploited?

References

Stay ahead of CWE-59

Overview

Background

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis - Binary or Bytecode

Manual Static Analysis - Binary or Bytecode

Dynamic Analysis with Automated Results Interpretation

Dynamic Analysis with Manual Results Interpretation

Manual Static Analysis - Source Code

Automated Static Analysis - Source Code

Architecture or Design Review

Illustrative examples

Related weaknesses

Parent

Child

Related

Terminology & mappings

Alternate terms

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-59?

What CVEs are caused by CWE-59?

How do you prevent CWE-59?

How is CWE-59 detected?

What are the consequences of CWE-59?

Is CWE-59 actively exploited?

References

Stay ahead of CWE-59