Compound weakness

Composite

Incomplete

CWE-61: UNIX Symbolic Link (Symlink) Following

Also known as: Symlink following, symlink vulnerability

The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.

Last updated May 1, 2026

111

Recorded CVEs

With this primary weakness

1

KEVs

In the CISA KEV catalog

High

Likelihood of exploit

Per MITRE

Compound

Abstraction

MITRE classification

Overview

A product that allows UNIX symbolic links (symlink) as part of paths whether in internal code or through user input can allow an attacker to spoof the symbolic link and traverse the file system to unintended locations or access arbitrary files. The symbolic link can permit an attacker to read/write/corrupt a file that they originally did not have permissions to access.

Real-world CVEs

111 recorded CVEs are caused by CWE-61 (UNIX Symbolic Link (Symlink) Following), including 1 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 32 new CWE-61 CVEs have been recorded so far in 2026 (30 in 2025).

Showing 12 of 111 recorded CWE-61 CVEs. Track new ones as they are published and get AI-written analysis and fixes.

Monitor CWE-61 vulnerabilities

Common consequences

What can happen when CWE-61 is exploited.

Read Files or Directories, Modify Files or Directories

Affects: Confidentiality, Integrity

How it happens

When it is introduced

Typically introduced during these phases of the software lifecycle.

Implementation

How to prevent it

Practical mitigations for CWE-61, grouped by where in the lifecycle they apply.

Implementation

Symbolic link attacks often occur when a program creates a tmp directory that stores files/links. Access to the directory should be restricted to the program as to prevent attackers from manipulating the files.

Architecture and Design

Separation of Privilege

Follow the principle of least privilege when assigning access rights to entities in a software system.

Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.

How to detect it

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Illustrative examples

Real CVEs that MITRE cites as examples of this weakness.

CVE-1999-1386 — Some versions of Perl follow symbolic links when running with the -e option, which allows local users to overwrite arbitrary files via a symlink attack.
CVE-2000-1178 — Text editor follows symbolic links when creating a rescue copy during an abnormal exit, which allows local users to overwrite the files of other users.
CVE-2004-0217 — Antivirus update allows local users to create or append to arbitrary files via a symlink attack on a logfile.
CVE-2003-0517 — Symlink attack allows local users to overwrite files.
CVE-2004-0689 — Possible interesting example
CVE-2005-1879 — Second-order symlink vulnerabilities
CVE-2005-1880 — Second-order symlink vulnerabilities
CVE-2005-1916 — Symlink in Python program
CVE-2000-0972 — Setuid product allows file reading by replacing a file being edited with a symlink to the targeted file, leaking the result in error messages when parsing fails.
CVE-2005-0824 — Signal causes a dump that follows symlinks.
CVE-2015-3629 — A Libcontainer used in Docker Engine allows local users to escape containerization and write to an arbitrary file on the host system via a symlink attack in an image when respawning a container.
CVE-2020-26277 — In a MySQL database deployment tool, users may craft a maliciously packaged tarball that contains symlinks to files external to the target and once unpacked, will execute.
CVE-2021-21272 — "Zip Slip" vulnerability in Go-based Open Container Initiative (OCI) registries product allows writing arbitrary files outside intended directory via symbolic links or hard links in a gzipped tarball.

Terminology & mappings

Alternate terms

Symlink following
symlink vulnerability

Mapped taxonomies

PLOVER: UNIX symbolic link following

Attack patterns

CAPEC attack patterns that exploit this weakness.

CAPEC-27: Leveraging Race Conditions via Symbolic Links

Frequently asked questions

Common questions about CWE-61.

What is CWE-61?

The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.

What CVEs are caused by CWE-61?

111 recorded CVEs are attributed to CWE-61, including CVE-2026-54420, CVE-2024-28189, CVE-2024-28185. 1 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

How do you prevent CWE-61?

Symbolic link attacks often occur when a program creates a tmp directory that stores files/links. Access to the directory should be restricted to the program as to prevent attackers from manipulating the files.

How is CWE-61 detected?

Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

What are the consequences of CWE-61?

Exploiting CWE-61 can lead to: Read Files or Directories, Modify Files or Directories.

Is CWE-61 actively exploited?

Yes. 1 CWE-61 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 111 recorded CVEs.

References

Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.

Stay ahead of CWE-61

Get alerted the moment a new CWE-61 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.

Start free See pricing

Overview

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

How to detect it

Automated Static Analysis

Illustrative examples

Related weaknesses

Parent

Requires

Terminology & mappings

Alternate terms

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-61?

What CVEs are caused by CWE-61?

How do you prevent CWE-61?

How is CWE-61 detected?

What are the consequences of CWE-61?

Is CWE-61 actively exploited?

References

Stay ahead of CWE-61