BaseDraft
CWE-73External Control of File Name or Path
Category: other
Description
The product allows user input to control or influence paths or file names that are used in filesystem operations.
Common consequences· 3
- Integrity / Confidentiality — Read Files or Directories, Modify Files or DirectoriesThe application can operate on unexpected files. Confidentiality is violated when the targeted filename is not directly readable by the attacker.
- Integrity / Confidentiality / Availability — Modify Files or Directories, Execute Unauthorized Code or CommandsThe application can operate on unexpected files. This may violate integrity if the filename is written to, or if the filename is for a program or other form of executable code.
- Availability — DoS: Crash, Exit, or Restart, DoS: Resource Consumption (Other)The application can operate on unexpected files. Availability can be violated if the attacker specifies an unexpected file that the application modifies. Availability can also be affected if the attacker specifies a filename for a large file, or points to a special device or a file that does not have the format that the application expects.
Potential mitigations· 5
- [Architecture and Design]When the set of filenames is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames, and reject all other inputs. For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap provide this capability.
- [Architecture and Design, Operation]
- [Architecture and Design]For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
- [Implementation]
- [Implementation]Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59).
Related CAPEC attack patterns· 8
References
Exploits (incoming)8
| Type | Target | Confidence | Tier |
|---|---|---|---|
| AttackPattern | Manipulating Web Input to File System Callscapec-76 | 100% | live |
| AttackPattern | Subverting Environment Variable Valuescapec-13 | 100% | live |
| AttackPattern | Using Slashes and URL Encoding Combined to Bypass Validation Logiccapec-64 | 100% | live |
| AttackPattern | Using Escaped Slashes in Alternate Encodingcapec-78 | 100% | live |
| AttackPattern | Using UTF-8 Encoding to Bypass Validation Logiccapec-80 | 100% | live |
| AttackPattern | Using Slashes in Alternate Encodingcapec-79 | 100% | live |
| AttackPattern | URL Encodingcapec-72 | 100% | live |
| AttackPattern | Leverage Alternate Encodingcapec-267 | 100% | live |
Compliance frameworks addressing this (incoming)1
| Type | Target | Confidence | Tier |
|---|---|---|---|
| ComplianceControl | owasp_api_top10-api07 | 100% | live |
(incoming)88
| Type | Target | Confidence | Tier |
|---|---|---|---|
| Vulnerability | CVE-2025-0105cve-2025-0105 | 0% | live |
| Vulnerability | Palo Alto Networks PAN-OS File Read Vulnerabilitycve-2025-0111 | 0% | live |
| Vulnerability | CVE-2025-0211cve-2025-0211 | 0% | live |
| Vulnerability | CVE-2025-0452cve-2025-0452 | 0% | live |
| Vulnerability | CVE-2025-0851cve-2025-0851 | 0% | live |
| Vulnerability | CVE-2025-10058cve-2025-10058 | 0% | live |
| Vulnerability | CVE-2025-10134cve-2025-10134 | 0% | live |
| Vulnerability | CVE-2025-10494cve-2025-10494 | 0% | live |
| Vulnerability | CVE-2025-12529cve-2025-12529 | 0% | live |
| Vulnerability | CVE-2025-13322cve-2025-13322 | 0% | live |
| Vulnerability | CVE-2025-2004cve-2025-2004 | 0% | live |
| Vulnerability | Microsoft Windows NTLM Hash Disclosure Spoofing Vulnerabilitycve-2025-24054 | 0% | live |
| Vulnerability | CVE-2025-2409cve-2025-2409 | 0% | live |
| Vulnerability | CVE-2025-26646cve-2025-26646 | 0% | live |
| Vulnerability | CVE-2025-27147cve-2025-27147 | 0% | live |
| Vulnerability | CVE-2025-29708cve-2025-29708 | 0% | live |
| Vulnerability | CVE-2025-29709cve-2025-29709 | 0% | live |
| Vulnerability | CVE-2025-30201cve-2025-30201 | 0% | live |
| Vulnerability | Microsoft Windows External Control of File Name or Path Vulnerabilitycve-2025-33053 | 0% | live |
| Vulnerability | CVE-2025-33117cve-2025-33117 | 0% | live |
| Vulnerability | CVE-2025-3812cve-2025-3812 | 0% | live |
| Vulnerability | CVE-2025-43951cve-2025-43951 | 0% | live |
| Vulnerability | CVE-2025-4603cve-2025-4603 | 0% | live |
| Vulnerability | CVE-2025-4674cve-2025-4674 | 0% | live |
| Vulnerability | CVE-2025-46762cve-2025-46762 | 0% | live |
| Vulnerability | CVE-2025-53912cve-2025-53912 | 0% | live |
| Vulnerability | CVE-2025-5393cve-2025-5393 | 0% | live |
| Vulnerability | CVE-2025-54945cve-2025-54945 | 0% | live |
| Vulnerability | CVE-2025-58158cve-2025-58158 | 0% | live |
| Vulnerability | CVE-2025-59291cve-2025-59291 | 0% | live |
Showing top 30 of 88 by confidence. Click any target to see the full neighbourhood.
Related by meaning· 6
Nearest entities by semantic similarity across the cs-graph corpus.