1. Home
  2. CWE Database
  3. CWE-49
Variant · Low-Medium

CWE-49: Path Equivalence: 'filename/' (Trailing Slash)

The product accepts path input in the form of trailing slash ('filedir/') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system...

CWE-49 · Variant Level ·6 CVEs

Description

The product accepts path input in the form of trailing slash ('filedir/') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.

Potential Impact

Confidentiality, Integrity

Read Files or Directories, Modify Files or Directories

Real-World CVE Examples

CVE IDDescription
CVE-2002-0253Overlaps infoleak
CVE-2001-0446Application server allows remote attackers to read source code for .jsp files by appending a / to the requested URL.
CVE-2004-0334Bypass Basic Authentication for files using trailing "/"
CVE-2001-0893Read sensitive files with trailing "/"
CVE-2001-0892Web server allows remote attackers to view sensitive files under the document root (such as .htpasswd) via a GET request with a trailing /.
CVE-2004-1814Directory traversal vulnerability in server allows remote attackers to read protected files via .. (dot dot) sequences in an HTTP request.

CWE-41: Improper Resolution of Path Equivalence

The product is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use...

CWE-162: Improper Neutralization of Trailing Special Elements

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes trailing sp...

Taxonomy Mappings

  • PLOVER: — filedir/ (trailing slash, trailing /)
  • Software Fault Patterns: SFP16 — Path Traversal

Frequently Asked Questions

What is CWE-49?

CWE-49 (Path Equivalence: 'filename/' (Trailing Slash)) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product accepts path input in the form of trailing slash ('filedir/') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system...

How can CWE-49 be exploited?

Attackers can exploit CWE-49 (Path Equivalence: 'filename/' (Trailing Slash)) to read files or directories, modify files or directories. This weakness is typically introduced during the Implementation, Operation phase of software development.

How do I prevent CWE-49?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-49?

CWE-49 is classified as a Variant-level weakness (Low-Medium abstraction). It has been observed in 6 real-world CVEs.