CWE-24 - Path Traversal: '../filedir'

• Abstraction:
• Variant

• Structure:
• Simple

• Status:
• Incomplete

Weakness Name

Path Traversal: '../filedir'

Description

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "../" sequences that can resolve to a location that is outside of that directory.

This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. The "../" manipulation is the canonical manipulation for operating systems that use "/" as directory separators, such as UNIX- and Linux-based systems. In some cases, it is useful for bypassing protection schemes in environments for which "/" is supported but not the primary separator, such as Windows, which uses "\" but can also accept "/".

Common Consequences

Scope: Confidentiality, Integrity

Impact: Read Files or Directories, Modify Files or Directories

Related Weaknesses

CWE-23Relative Path Traversal

• Release Date:
• 2006-07-19

• Latest Modification Date:
• 2023-10-26

Latest Security News

U.S. recovers $31 million stolen in 2021 Uranium Finance hack

Qilin ransomware claims attack at Lee Enterprises, leaks stolen data

Police arrests suspects tied to AI-generated CSAM distribution ring

Amnesty Finds Cellebrite's Zero-Day Used to Unlock Serbian Activist's Android Phone

Serbian police used Cellebrite zero-day hack to unlock Android phones

Microsoft confirms it's killing off Skype in May, after 14 years

MITRE Caldera RCE vulnerability with public PoC fixed, patch ASAP! (CVE-2025–27364)

RDP: a Double-Edged Sword for IT Teams – Essential Yet Exploitable

Top Alert List

Content Security Policy (CSP) Header Not Set

CSP

MediumMissing Anti-clickjacking Header

MediumAbsence of Anti-CSRF Tokens

MediumContent Security Policy (CSP) Header Not Set

InformationalInformation Disclosure - Suspicious Comments

LowCross-Domain JavaScript Source File Inclusion

HighPII Disclosure

InformationalRe-examine Cache-control Directives

MediumCross-Domain Misconfiguration

Latest CVE List

CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability

CVE-2023-34192 Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability

CVE-2017-3066 Adobe ColdFusion Deserialization Vulnerability

CVE-2024-20953 Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability

CVE-2025-24989 Microsoft Power Pages Improper Access Control Vulnerability

CVE-2025-23209 Craft CMS Code Injection Vulnerability

CVE-2025-0111 Palo Alto Networks PAN-OS File Read Vulnerability

CVE-2024-53704 SonicWall SonicOS SSLVPN Improper Authentication Vulnerability

CVE-2025-0108 Palo Alto Networks PAN-OS Authentication Bypass Vulnerability

CVE-2024-57727 SimpleHelp Path Traversal Vulnerability

Common CWEs

CWE-471 Modification of Assumed-Immutable Data (MAID)

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CWE-491 Public cloneable() Method Without Final ('Object Hijack')

CWE-27 Path Traversal: 'dir/../../filename'

CWE-155 Improper Neutralization of Wildcards or Matching Symbols

CWE-281 Improper Preservation of Permissions

CWE-672 Operation on a Resource after Expiration or Release

HighCWE-327 Use of a Broken or Risky Cryptographic Algorithm

CWE-1085 Invokable Control Element with Excessive Volume of Commented-out Code

CWE-1122 Excessive Halstead Complexity