SiteShadow
Back to vulnerability library
Detected byCWE-aware static analysisPro

CWE-61 UNIX Symlink Following

Coverage status: Background only, this CWE is in scope but has no rules in the SiteShadow rule registry. Taint and heuristic analyzers may flag related patterns; see the coverage report and known gaps for the authoritative list.

What this means

SiteShadow flagged a file access pattern where symlinks may be followed, allowing an attacker to redirect reads/writes to a different file than the application intended.

Why it matters

Symlink following can expose protected files or bypass checks.

Safer examples

1) Avoid operating on paths in world-writable directories

Prefer application-owned directories with strict permissions.

2) Use "no symlink follow" protections where available

Use OS/library flags that refuse symlinks (platform-dependent).

3) Use safe temp-file APIs

Prefer secure temp file helpers rather than manual temp path construction.

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.