Weakness reference
CWE-426

Untrusted Search Path

Untrusted Search Path occurs when an application searches for executables, libraries, or other critical resources using a path that an attacker can influence…

01Summary

Untrusted Search Path occurs when an application searches for executables, libraries, or other critical resources using a path that an attacker can influence or modify. Instead of loading the intended resource from a secure location, the application may load a malicious substitute placed earlier in the search path, leading to arbitrary code execution or privilege escalation.

02How It Happens

Applications often rely on search paths (like PATH environment variables, working directories, or library load paths) to locate and load resources at runtime. If an attacker can control or predict these paths—by modifying environment variables, creating files in shared directories, or exploiting relative path resolution—they can place a malicious executable or library in a location the application will search before the legitimate one. The application then loads and executes the attacker's version instead, often with the privileges of the running process.

This is particularly dangerous when applications run with elevated privileges (such as setuid binaries on Unix systems or services running as SYSTEM on Windows) or when they load libraries dynamically without validating the source.

03Real-World Impact

Successful exploitation can result in arbitrary code execution with the privileges of the vulnerable application. An attacker could gain unauthorized access to sensitive data, modify system files, escalate privileges from a regular user to administrator, or establish persistent backdoors. In multi-user or shared hosting environments, this can allow lateral movement between user accounts or compromise of the entire system.

04Vulnerable & Fixed Patterns

Vulnerable pattern
import subprocess
import os

# Attacker can modify PATH environment variable
user_input = os.environ.get('PATH', '/usr/bin:/bin')
result = subprocess.run('some_tool', shell=True, env={'PATH': user_input})

Why it's vulnerable:
The application trusts the PATH environment variable, which an attacker can modify to point to directories containing malicious executables with the same name as legitimate tools.

Fixed pattern
import subprocess

# Use absolute path to the executable
result = subprocess.run('/usr/bin/some_tool', shell=False)
Vulnerable pattern
<?php
// Relative path allows attacker to place malicious library in current directory
$library_path = 'includes/helper.php';
require_once($library_path);

// Or relying on include_path set via environment
$file = 'config.php';
include($file);
?>

Why it's vulnerable:
Relative paths and reliance on include_path allow an attacker to place a malicious file in a predictable location that gets loaded before the legitimate one.

Fixed pattern
<?php
// Use absolute path with __DIR__ constant
$library_path = __DIR__ . '/includes/helper.php';
require_once($library_path);

// Or use a hardcoded absolute path
$config_file = '/etc/app/config.php';
if (file_exists($config_file)) {
    include($config_file);
}
?>

05Prevention Checklist

Use absolute paths
for all critical resource loading (executables, libraries, configuration files). Never rely on relative paths or environment variables for locating security-sensitive resources.
Avoid shell execution
when possible; use direct function calls or library imports instead of spawning subprocesses that depend on PATH resolution.
Validate and restrict search paths
if dynamic loading is necessary—explicitly define a whitelist of allowed directories and verify the resource exists in one of them before loading.
Remove or restrict write permissions
on directories in the search path (especially /tmp, current working directory, and shared library directories) to prevent attackers from placing malicious files.
Run with minimal privileges
so that even if a malicious resource is loaded, the damage is limited to the least necessary permissions.
Set secure environment variables
at application startup; do not inherit untrusted PATH, LD_LIBRARY_PATH, or similar variables from the calling environment.

06Signs You May Already Be Affected

Unexpected executables or libraries appearing in shared directories (like /tmp or the application's working directory), unusual process execution logs showing the application loading resources from unexpected paths, or reports of privilege escalation from unprivileged users. If your application runs with elevated privileges and users can influence its working directory or environment, this risk is elevated.

07Related Recent Vulnerabilities