Cyber Resilience

CWE · MITRE source

CWE-425Direct Request ('Forced Browsing')

Abstraction: Base · CVEs in our corpus: 233

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

Last updated: 04 July 2026 08:17 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: full · 5 mapping(s) from 3 framework(s): CAPEC 3 (full) · OWASP-Web 1 (full) · ATT&CK 1 (mostly)

See the full cumulative-coverage rollup →

OWASP Top 10 for Web (2025)

This weakness contributes to A01:2025 Broken Access Control.

NIST 800-53 r5 controls that address this weakness (6)AI

Showing the 5 most specific. Generic controls that address many weakness types are collapsed below.

Control Title Family Why it addresses this CWE
AC-24Access Control DecisionsACForcing a decision on every access request, including direct ones, reduces the exploitability of forced browsing by ensuring no unchecked access paths.
AC-25Reference MonitorACForces all accesses through the reference monitor, preventing direct or forced requests that bypass checks.
AC-3Access EnforcementACEnforcing access for all logical requests prevents unauthorized direct access to protected resources.
SC-26DecoysSCDecoy endpoints catch forced browsing and direct requests, deflecting attackers from legitimate resources while enabling analysis.
SI-9Information Input RestrictionsSIBlocks unauthorized direct requests or forced browsing by denying input access to non-authorized actors.
Show 1 more broadly-applicable controls
AC-8System Use NotificationACDisplaying the notification before further access on public systems prevents direct resource requests from bypassing the required system use terms and consent.

MITRE ATT&CK techniques this weakness enables

Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.

Direction: other covers this; this covers other (F/M/P = full / mostly / partial).

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2021-26085 KEV10.05.30.99942021-08-03
CVE-2024-45195 KEV10.07.50.99982024-09-04
CVE-2017-177368.09.80.69362018-03-23
CVE-2018-192078.09.80.87292018-11-12
CVE-2024-02048.09.80.95092024-01-22
CVE-2002-17987.09.10.04562002-12-31
CVE-2017-108337.09.10.01542017-08-29
CVE-2017-142447.09.80.17152017-09-17
CVE-2018-66247.09.80.01682018-02-05
CVE-2018-37747.010.00.03812018-08-12
CVE-2018-189227.09.80.02432018-12-13
CVE-2019-77367.09.80.02732019-02-11
CVE-2019-95527.09.80.02042019-03-04
CVE-2019-125837.09.10.43932019-06-27
CVE-2019-98847.09.80.02962019-07-25
CVE-2019-95847.09.80.02712019-08-14
CVE-2019-163407.09.80.19262019-11-21
CVE-2020-242037.09.80.03742020-08-27
CVE-2020-246607.09.80.02342020-09-14
CVE-2019-127687.09.80.02292020-12-30
CVE-2020-353917.09.60.35002021-01-01
CVE-2021-242157.09.80.09732021-04-12
CVE-2021-367457.09.80.09022021-09-29
CVE-2021-365607.09.80.01482021-11-02
CVE-2022-262797.09.80.01812022-03-24