LIVE NEWSROOM · --:-- · May 25, 2026
A LIBRARY FOR SECURITY RESEARCHERS

CWE WEAKNESSES  /  CWE-41

CWE-41

Improper Resolution of Path Equivalence

Base

What it is

The product is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file and directory names. The associated manipulations are intended to generate multiple names for the same object.

Path equivalence is usually employed in order to circumvent access controls expressed using an incomplete set of file name or file path representations. This is different from path traversal, wherein the manipulations are performed to generate a name for a different object.

Impact

Confidentiality, Integrity, Access ControlRead Files or Directories, Modify Files or Directories, Bypass Protection Mechanism

Mitigations

  • [Implementation]Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.When performing input validation, consider all potentially relevant properties, including length, type of input, the full r
  • [Implementation] Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are i
  • [Implementation] Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

Real-world CVE examples

  • CVE-2000-1114 — Source code disclosure using trailing dot
  • CVE-2002-1986 — Source code disclosure using trailing dot
  • CVE-2004-2213 — Source code disclosure using trailing dot or trailing encoding space "%20"
  • CVE-2005-3293 — Source code disclosure using trailing dot
  • CVE-2004-0061 — Bypass directory access restrictions using trailing dot in URL
  • CVE-2000-1133 — Bypass directory access restrictions using trailing dot in URL
  • CVE-2001-1386 — Bypass check for ".lnk" extension using ".lnk."
  • CVE-2001-0693 — Source disclosure via trailing encoded space "%20"
  • CVE-2001-0778 — Source disclosure via trailing encoded space "%20"
  • CVE-2001-1248 — Source disclosure via trailing encoded space "%20"
  • CVE-2004-0280 — Source disclosure via trailing encoded space "%20"
  • CVE-2005-0622 — Source disclosure via trailing encoded space "%20"

Related weaknesses

Test & detect

Browse all common weaknesses, check related exploited CVEs, or map to ATT&CK techniques.

Source: MITRE CWE. View on cwe.mitre.org →

Scroll to Top