CWE-61 UNIX Symlink Following
Coverage status: Background only, this CWE is in scope but has no rules in the SiteShadow rule registry. Taint and heuristic analyzers may flag related patterns; see the coverage report and known gaps for the authoritative list.
What this means
SiteShadow flagged a file access pattern where symlinks may be followed, allowing an attacker to redirect reads/writes to a different file than the application intended.
Why it matters
Symlink following can expose protected files or bypass checks.
- Read exposure: symlink points to secrets (e.g.,
/etc/passwd, app configs). - Write exposure: symlink points to sensitive targets, enabling overwrite attacks.
- Often paired with TOCTOU patterns (see
CWE-362).
Safer examples
1) Avoid operating on paths in world-writable directories
Prefer application-owned directories with strict permissions.
2) Use "no symlink follow" protections where available
Use OS/library flags that refuse symlinks (platform-dependent).
3) Use safe temp-file APIs
Prefer secure temp file helpers rather than manual temp path construction.
How SiteShadow detects it (high level)
- Flags file opens/writes where a path is attacker-influenced and symlink protections are missing.
- Looks for risky patterns in temp directories and upload paths.
References
- CWE-61: https://cwe.mitre.org/data/definitions/61.html
---
← Back to Vulnerability Library
Catch this with SiteShadow Pro.
This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.