CWE-73 External Control of File Name or Path

What this means

SiteShadow flagged a pattern where external input (request params/body/query) influences a file name or path used by the system.

Why it matters

Untrusted path control can expose sensitive data or allow unintended access.

• Path traversal to read/write unintended files (see CWE-22/23/36).
• Symlink/TOCTOU exploits when combined with link following (see CWE-61 / CWE-362).
• Data exfiltration via file download/export endpoints.

Safer examples

1) Use allowlists (recommended)

If the user is selecting from known files, allowlist those choices.

2) Normalize and enforce a base directory

Resolve the final path and ensure it stays inside your intended directory.

3) Prefer IDs over paths

Accept a file ID and map to a server-known path rather than accepting arbitrary paths.

How SiteShadow detects it (high level)

• Detects file access APIs combined with request-derived input.
• Flags missing allowlists/base-dir enforcement for file paths.

References

• CWE-73: https://cwe.mitre.org/data/definitions/73.html

---

← Back to Vulnerability Library