SiteShadow
Back to vulnerability library
Detected byCWE-aware static analysisPro

CWE-59 Link Following

Coverage status: Background only, this CWE is in scope but has no rules in the SiteShadow rule registry. Taint and heuristic analyzers may flag related patterns; see the coverage report and known gaps for the authoritative list.

What this means

SiteShadow flagged file operations that follow links (symlinks/hardlinks/shortcuts) in a way that can bypass the intended target. The app thinks it's reading/writing "a safe file," but the link points elsewhere.

Why it matters

Link following can redirect access to unintended targets.

Safer examples

1) Don't follow links for untrusted paths

Use platform-safe APIs/flags to refuse symlinks where possible (exact API varies).

2) Use atomic, safe file creation patterns

Prefer secure temp file helpers rather than manual naming.

3) Validate final resolved path is under a base directory

Resolve the path and enforce that it stays inside your intended directory (see CWE-23 / CWE-36 / CWE-61).

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.