CWE · MITRE source
CWE-425Direct Request ('Forced Browsing')
The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.
Web applications susceptible to direct request attacks often make the false assumption that such resources can only be reached through a given navigation path and so only apply authorization at certain points in the path.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (6)AI
Showing the 5 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
AC-24 | Access Control Decisions | AC | Forcing a decision on every access request, including direct ones, reduces the exploitability of forced browsing by ensuring no unchecked access paths. |
AC-25 | Reference Monitor | AC | Forces all accesses through the reference monitor, preventing direct or forced requests that bypass checks. |
AC-3 | Access Enforcement | AC | Enforcing access for all logical requests prevents unauthorized direct access to protected resources. |
SC-26 | Decoys | SC | Decoy endpoints catch forced browsing and direct requests, deflecting attackers from legitimate resources while enabling analysis. |
SI-9 | Information Input Restrictions | SI | Blocks unauthorized direct requests or forced browsing by denying input access to non-authorized actors. |
Show 1 more broadly-applicable controls
AC-8 | System Use Notification | AC | Displaying the notification before further access on public systems prevents direct resource requests from bypassing the required system use terms and consent. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2024-45195 KEV | 9.1 | 7.5 | 0.9415 | 2024-09-04 |
CVE-2021-26085 KEV | 8.7 | 5.3 | 0.9398 | 2021-08-03 |
CVE-2017-17736 | 7.5 | 9.8 | 0.9265 | 2018-03-23 |
CVE-2018-19207 | 7.5 | 9.8 | 0.9194 | 2018-11-12 |
CVE-2024-0204 | 7.5 | 9.8 | 0.9305 | 2024-01-22 |
CVE-2019-17503 | 6.5 | 5.3 | 0.9022 | 2019-10-11 |
CVE-2021-40875 | 6.5 | 7.5 | 0.8300 | 2021-09-22 |
CVE-2022-26159 | 6.3 | 5.3 | 0.8716 | 2022-02-28 |
CVE-2019-1898 | 5.8 | 5.3 | 0.7868 | 2019-06-20 |
CVE-2021-28150 | 5.8 | 5.5 | 0.7876 | 2021-05-06 |
CVE-2019-12583 | 5.4 | 9.1 | 0.5906 | 2019-06-27 |
CVE-2021-24215 | 5.2 | 9.8 | 0.5459 | 2021-04-12 |
CVE-2022-2551 | 5.1 | 7.5 | 0.5971 | 2022-08-22 |
CVE-2017-14244 | 5.0 | 9.8 | 0.5079 | 2017-09-17 |
CVE-2020-24765 | 4.7 | 7.5 | 0.5328 | 2020-10-20 |
CVE-2020-35391 | 4.7 | 9.6 | 0.4684 | 2021-01-01 |
CVE-2021-20114 | 4.7 | 7.5 | 0.5387 | 2021-07-30 |
CVE-2022-31847 | 4.5 | 7.5 | 0.5059 | 2022-06-14 |
CVE-2022-28365 | 4.4 | 5.3 | 0.5618 | 2022-04-09 |
CVE-2022-4057 | 3.8 | 5.3 | 0.4539 | 2023-01-02 |
CVE-2022-2544 | 3.6 | 7.5 | 0.3447 | 2022-08-22 |
CVE-2021-46378 | 3.5 | 7.5 | 0.3306 | 2022-03-04 |
CVE-2021-36745 | 3.1 | 9.8 | 0.1872 | 2021-09-29 |
CVE-2019-14927 | 3.0 | 7.5 | 0.2533 | 2019-10-28 |
CVE-2024-6188 | 3.0 | 5.3 | 0.3232 | 2024-06-20 |