Home/CWE/Improper Resolution of Path Equivalence
Weakness

Improper Resolution of Path Equivalence

CWE-41 · Base · Incomplete

The product is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file and directory names. The associated manipulations are intended to generate multiple names for the same object.

Extended description

Path equivalence is usually employed in order to circumvent access controls expressed using an incomplete set of file name or file path representations. This is different from path traversal, wherein the manipulations are performed to generate a name for a different object.

Weakness Relationships

Where this weakness sits in the CWE hierarchy. Walk up to broader classes or down to more specific variants.
Parent of this (broader)
ChildOfCWE-1390 · Weak Authentication
ChildOfCWE-706 · Use of Incorrectly-Resolved Name or Reference
ChildOfCWE-863 · Incorrect Authorization
Children (more specific)
ParentOfCWE-42 · Path Equivalence: 'filename.' (Trailing Dot)
ParentOfCWE-44 · Path Equivalence: 'file.name' (Internal Dot)
ParentOfCWE-46 · Path Equivalence: 'filename ' (Trailing Space)
ParentOfCWE-47 · Path Equivalence: ' filename' (Leading Space)
ParentOfCWE-48 · Path Equivalence: 'file name' (Internal Whitespace)
ParentOfCWE-49 · Path Equivalence: 'filename/' (Trailing Slash)
ParentOfCWE-50 · Path Equivalence: '//multiple/leading/slash'
ParentOfCWE-51 · Path Equivalence: '/multiple//internal/slash'
ParentOfCWE-52 · Path Equivalence: '/multiple/trailing/slash//'
ParentOfCWE-53 · Path Equivalence: '\multiple\\internal\backslash'
ParentOfCWE-54 · Path Equivalence: 'filedir\' (Trailing Backslash)
ParentOfCWE-55 · Path Equivalence: '/./' (Single Dot Directory)
ParentOfCWE-56 · Path Equivalence: 'filedir*' (Wildcard)
ParentOfCWE-57 · Path Equivalence: 'fakedir/../realdir/filename'
ParentOfCWE-58 · Path Equivalence: Windows 8.3 Filename

Attack Patterns (CAPEC)

1
How adversaries exploit this weakness, per MITRE CAPEC.
CAPEC-3Using Leading 'Ghost' Character Sequences to Bypass Input Filters

CVEs With This Weakness

25
A sample of the 25 CVEs tagged with this weakness.
CVECVE-2026-5816
CVECVE-2026-34510
CVECVE-2026-34451
CVECVE-2026-23674
CVECVE-2025-58290
CVECVE-2025-54107
CVECVE-2025-43298
CVECVE-2025-24470
CVECVE-2025-21332
CVECVE-2025-21329
CVECVE-2025-21328
CVECVE-2025-21269
External lookups - second-class, for what we don’t hold ourselves
MITRE CWE
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin