Description
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Many file operations are intended to take place within a restricted directory. By using special elements such as ".." and "/" separators, attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system. One of the most common special elements is the "../" sequence, which in most modern operating systems is interpreted as the parent directory of the current location. This is referred to as relative path traversal. Path traversal also covers the use of absolute pathnames such as "/usr/local/bin" to access unexpected files. This is referred to as absolute path traversal.
Path Traversal Guide
Read our in-depth guide on exploiting and mitigating this weakness
Potential Impact
Integrity, Confidentiality, Availability
Execute Unauthorized Code or Commands
Integrity
Modify Files or Directories
Confidentiality
Read Files or Directories
Availability
DoS: Crash, Exit, or Restart
Demonstrative Examples
my $dataPath = "/users/cwe/profiles";my $username = param("user");my $profilePath = $dataPath . "/" . $username;
open(my $fh, "<", $profilePath) || ExitError("profile read error: $profilePath");print "<ul>\n";while (<$fh>) {print "<li>$_</li>\n";}print "</ul>\n";../../../etc/passwd/users/cwe/profiles/../../../etc/passwd/etc/passwdString filename = System.getProperty("com.domain.application.dictionaryFile");File dictionaryFile = new File(filename);my $Username = GetUntrustedInput();$Username =~ s/\.\.\///;my $filename = "/home/user/" . $Username;ReadAndSendFile($filename);../../../etc/passwd../../etc/passwd/home/user/../../etc/passwdString path = getInputPath();if (path.startsWith("/safe_dir/")){File f = new File(path);f.delete()}/safe_dir/../important.datMitigations & Prevention
Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across relat
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively r
Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs. For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap [REF-185] provide this capability.
Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to
Store library, include, and utility files outside of the web document root, if possible. Otherwise, store them in a separate directory and use the web server's access control capabilities to prevent attackers from directly requesting them. One common practice is to define a fixed constant in each calling program, then check for the existence of the constant in the library/include file; if the constant does not exist, then the file was directly requested, and it can exit immediately.
Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success. If
Detection Methods
- Automated Static Analysis High — Automated techniques can find areas where path traversal weaknesses exist. However, tuning or customization may be required to remove or de-prioritize path-traversal problems that are only exploitable by the product's administrator - or other privileged users - and thus potentially valid behavior or
- Manual Static Analysis High — Manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all file access operations can be assessed within limited time constraints.
- Automated Static Analysis - Binary or Bytecode High — According to SOAR [REF-1479], the following detection techniques may be useful:
- Manual Static Analysis - Binary or Bytecode SOAR Partial — According to SOAR [REF-1479], the following detection techniques may be useful:
- Dynamic Analysis with Automated Results Interpretation High — According to SOAR [REF-1479], the following detection techniques may be useful:
- Dynamic Analysis with Manual Results Interpretation High — According to SOAR [REF-1479], the following detection techniques may be useful:
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2024-37032 | Large language model (LLM) management tool does not validate the format of a digest value (CWE-1287) from a private, untrusted model registry, enabling relative |
| CVE-2024-4315 | Chain: API for text generation using Large Language Models (LLMs) does not include the "\" Windows folder separator in its denylist (CWE-184) when attempting to prevent Local File Inclusio |
| CVE-2024-0520 | Product for managing datasets for AI model training and evaluation allows both relative (CWE-23) and absolute (CWE-36) path traversal to overwrite files via the Content-Disposition header |
| CVE-2022-45918 | Chain: a learning management tool debugger uses external input to locate previous session logs (CWE-73) and does not properly validate the given path (CWE-20), allowing for filesystem path traversal u |
| CVE-2019-20916 | Python package manager does not correctly restrict the filename specified in a Content-Disposition header, allowing arbitrary file read using path traversal sequences such as "../" |
| CVE-2022-31503 | Python package constructs filenames using an unsafe os.path.join call on untrusted input, allowing absolute path traversal because os.path.join resets the pathname to an absolute path that is specifie |
| CVE-2022-24877 | directory traversal in Go-based Kubernetes operator app allows accessing data from the controller's pod file system via ../ sequences in a yaml file |
| CVE-2021-21972 | Chain: Cloud computing virtualization platform does not require authentication for upload of a tar format file (CWE-306), then uses .. path traversal sequences (CWE-23) in the file to access unexpecte |
| CVE-2020-4053 | a Kubernetes package manager written in Go allows malicious plugins to inject path traversal sequences into a plugin archive ("Zip slip") to copy a file outside the intended directory |
| CVE-2020-3452 | Chain: security product has improper input validation (CWE-20) leading to directory traversal (CWE-22), as exploited in the wild per CISA KEV. |
| CVE-2019-10743 | Go-based archive library allows extraction of files to locations outside of the target folder with "../" path traversal sequences in filenames in a zip file, aka "Zip Slip" |
| CVE-2010-0467 | Newsletter module allows reading arbitrary files using "../" sequences. |
| CVE-2006-7079 | Chain: PHP app uses extract for register_globals compatibility layer (CWE-621), enabling path traversal (CWE-22) |
| CVE-2009-4194 | FTP server allows deletion of arbitrary files using ".." in the DELE command. |
| CVE-2009-4053 | FTP server allows creation of arbitrary directories using ".." in the MKD command. |
Showing 15 of 23 observed examples.
Related Weaknesses
Taxonomy Mappings
- PLOVER: — Path Traversal
- OWASP Top Ten 2007: A4 — Insecure Direct Object Reference
- OWASP Top Ten 2004: A2 — Broken Access Control
- CERT C Secure Coding: FIO02-C — Canonicalize path names originating from untrusted sources
- SEI CERT Perl Coding Standard: IDS00-PL — Canonicalize path names before validating them
- WASC: 33 — Path Traversal
- Software Fault Patterns: SFP16 — Path Traversal
- OMG ASCSM: ASCSM-CWE-22 —
Frequently Asked Questions
What is CWE-22?
CWE-22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neu...
How can CWE-22 be exploited?
Attackers can exploit CWE-22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')) to execute unauthorized code or commands. This weakness is typically introduced during the Implementation phase of software development.
How do I prevent CWE-22?
Key mitigations include: Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not stric
What is the severity of CWE-22?
CWE-22 is classified as a Base-level weakness (Medium abstraction). It has been observed in 23 real-world CVEs.