CWE-425 Base Incomplete

Direct Request ('Forced Browsing')

This vulnerability occurs when a web application fails to verify user permissions for every protected page, file, or API endpoint, allowing attackers to access them directly.

Definition

What is CWE-425?

This vulnerability occurs when a web application fails to verify user permissions for every protected page, file, or API endpoint, allowing attackers to access them directly.
Direct Request vulnerabilities happen because developers often assume users will only navigate through the intended application flow, like clicking buttons in a set sequence. They place authorization checks only at those expected entry points, forgetting that a user can simply type or forge a request to any URL or endpoint the server knows. This creates an insecure direct object reference (IDOR) risk, where attackers can 'force browse' by guessing or discovering hidden paths to administrative panels, configuration files, user data, or backend scripts. To prevent this, every single restricted resource must independently validate that the current session has explicit permission to access it, regardless of how the request was made.
Real-world impact

Real-world CVEs caused by CWE-425

  • CVE-2022-29238

    Access-control setting in web-based document collaboration tool is not properly implemented by the code, which prevents listing hidden directories but does not prevent direct requests to files in those directories.

  • CVE-2022-23607

    Python-based HTTP library did not scope cookies to a particular domain such that "supercookies" could be sent to any domain on redirect.

  • CVE-2004-2144

    Bypass authentication via direct request.

  • CVE-2005-1892

    Infinite loop or infoleak triggered by direct requests.

  • CVE-2004-2257

    Bypass auth/auth via direct request.

  • CVE-2005-1688

    Direct request leads to infoleak by error.

  • CVE-2005-1697

    Direct request leads to infoleak by error.

  • CVE-2005-1698

    Direct request leads to infoleak by error.

How attackers exploit it

Step-by-step attacker path

  1. 1

    Identify a code path that handles untrusted input without validation.

  2. 2

    Craft a payload that exercises the unsafe behavior — injection, traversal, overflow, or logic abuse.

  3. 3

    Deliver the payload through a normal request and observe the application's reaction.

  4. 4

    Iterate until the response leaks data, executes attacker code, or escalates privileges.

Vulnerable code example

Vulnerable JSP

If forced browsing is possible, an attacker may be able to directly access a sensitive page by entering a URL similar to the following.

Vulnerable JSP 
http://somesite.com/someapplication/admin.jsp
Attacker payload

If forced browsing is possible, an attacker may be able to directly access a sensitive page by entering a URL similar to the following.

Attacker payload JSP 
http://somesite.com/someapplication/admin.jsp
Secure code example

Secure pseudo

Secure pseudo 
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Prevention checklist

How to prevent CWE-425

  • Architecture and Design / Operation Apply appropriate access control authorizations for each access to all restricted URLs, scripts or files.
  • Architecture and Design Consider using MVC based frameworks such as Struts.
Detection signals

How to detect CWE-425

SAST High

Run static analysis (SAST) on the codebase looking for the unsafe pattern in the data flow.

DAST Moderate

Run dynamic application security testing against the live endpoint.

Runtime Moderate

Watch runtime logs for unusual exception traces, malformed input, or authorization bypass attempts.

Code review Moderate

Code review: flag any new code that handles input from this surface without using the validated framework helpers.

Plexicus auto-fix

Plexicus auto-detects CWE-425 and opens a fix PR in under 60 seconds.

Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.

Get a demo Try Plexicus free
Frequently asked questions

Frequently asked questions

What is CWE-425?

This vulnerability occurs when a web application fails to verify user permissions for every protected page, file, or API endpoint, allowing attackers to access them directly.

How serious is CWE-425?

MITRE has not published a likelihood-of-exploit rating for this weakness. Treat it as medium-impact until your threat model proves otherwise.

What languages or platforms are affected by CWE-425?

MITRE lists the following affected platforms: Web Based.

How can I prevent CWE-425?

Apply appropriate access control authorizations for each access to all restricted URLs, scripts or files. Consider using MVC based frameworks such as Struts.

How does Plexicus detect and fix CWE-425?

Plexicus's SAST engine matches the data-flow signature for CWE-425 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.

Where can I learn more about CWE-425?

MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/425.html. You can also reference OWASP and NIST documentation for adjacent guidance.

Related weaknesses

Weaknesses related to CWE-425

CWE-862 Parent

Missing Authorization

This vulnerability occurs when an application fails to verify whether a user has permission to access specific data or execute certain…

CWE-1314 Sibling

Missing Write Protection for Parametric Data Values

This vulnerability occurs when a hardware device fails to protect the scaling parameters used to convert raw sensor readings. Untrusted…

CWE-638 Sibling

Not Using Complete Mediation

This vulnerability occurs when software fails to verify access permissions every single time a user or process tries to use a resource.…

CWE-939 Sibling

Improper Authorization in Handler for Custom URL Scheme

This vulnerability occurs when an app implements a custom URL scheme handler but fails to properly verify which other apps or sources are…

CWE-471 Can precede

Modification of Assumed-Immutable Data (MAID)

This vulnerability occurs when an application fails to protect data it assumes cannot be changed, allowing an attacker to alter it.

CWE-98 Can precede

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

This vulnerability occurs when a PHP application uses unvalidated or insufficiently restricted user input directly within file inclusion…

Resources

Further reading

Ready when you are

Don't Let Security
Weigh You Down.

Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.