LIVE NEWSROOM · --:-- · May 25, 2026
A LIBRARY FOR SECURITY RESEARCHERS

CWE WEAKNESSES  /  CWE-425

CWE-425

Direct Request ('Forced Browsing')

Base

What it is

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

Impact

Confidentiality, Integrity, Availability, Access ControlRead Application Data, Modify Application Data, Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity

Mitigations

  • [Architecture and Design, Operation] Apply appropriate access control authorizations for each access to all restricted URLs, scripts or files.
  • [Architecture and Design] Consider using MVC based frameworks such as Struts.

Real-world CVE examples

  • CVE-2022-29238 — Access-control setting in web-based document collaboration tool is not properly implemented by the code, which prevents listing hidden directories but does not
  • CVE-2004-2144 — Bypass authentication via direct request.
  • CVE-2005-1892 — Infinite loop or infoleak triggered by direct requests.
  • CVE-2004-2257 — Bypass auth/auth via direct request.
  • CVE-2005-1688 — Direct request leads to infoleak by error.
  • CVE-2005-1697 — Direct request leads to infoleak by error.
  • CVE-2005-1698 — Direct request leads to infoleak by error.
  • CVE-2005-1685 — Authentication bypass via direct request.
  • CVE-2005-1827 — Authentication bypass via direct request.
  • CVE-2005-1654 — Authorization bypass using direct request.
  • CVE-2005-1668 — Access privileged functionality using direct request.
  • CVE-2002-1798 — Upload arbitrary files via direct request.

Related weaknesses

Test & detect

Browse all common weaknesses, check related exploited CVEs, or map to ATT&CK techniques.

Source: MITRE CWE. View on cwe.mitre.org →

Scroll to Top