CWE-73: External Control of File Name or Path
low-riskThe product allows user input to control or influence paths or file names that are used in filesystem operations.
Abstraction: Base
Common Consequences
Integrity
→
Read Files or Directories
Integrity
→
Modify Files or Directories
Availability
→
DoS: Crash, Exit, or Restart
Detection Methods
Automated Static Analysis
The external control or influence of filenames can often be detected using automated static analysis that models data flow within the product. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes.
Real-World Examples (10)
| CVE | CVSS | EPSS | KEV |
|---|---|---|---|
| CVE-2018-17246 | 9.8 | 93.8% | — |
| CVE-2022-39952 | 9.8 | 93.8% | — |
| CVE-2024-8517 | 9.8 | 93.2% | — |
| CVE-2023-4634 | 9.8 | 92.1% | — |
| CVE-2024-43451 | 6.5 | 90.3% | Y |
| CVE-2022-24900 | 9.9 | 73.3% | — |
| CVE-2021-27250 | 6.5 | 70.6% | — |
| CVE-2024-5334 | 7.5 | 62.7% | — |
| CVE-2025-33053 | 8.8 | 50.3% | Y |
| CVE-2023-3643 | 7.3 | 41.3% | — |
6
/ 100
low-risk
Active Threat
5/50 · Minimal
Exploit Availability
1/50 · Minimal