What is path traversal (directory traversal)?
Last reviewed June 2, 2026
Path traversal (also called directory traversal, CWE-22) is a vulnerability where untrusted input is used to build a file path, letting an attacker use sequences like ../ to reach files outside the intended directory. It can expose configuration files, source code, or credentials. Prevention relies on canonicalizing paths and validating them against an allowlisted base directory.
What path traversal is
Path traversal, tracked as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), occurs when an application builds a filesystem path from user input without ensuring the result stays inside an intended directory. By inserting special path elements, an attacker can navigate up and out of that directory to access files anywhere the application's process can reach.
The signature element is the parent-directory sequence ../ (or ..\ on Windows), which is why the flaw is also called the dot-dot-slash attack.
How the attack works
Imagine an endpoint that serves files with a path like /var/www/files/$name, where name comes from a request parameter. If the attacker sets name to ../../../../etc/passwd, the resolved path climbs out of the files directory and points at /etc/passwd, exposing a sensitive system file. On Windows the equivalent might reach a configuration file or credential store.
Attackers bypass naive filters with encoded variants such as %2e%2e%2f, double-encoding, mixed separators, or absolute paths. A filter that only strips a literal ../ once is easily defeated, which is why string-based blocking is unreliable.
Real-world impact
- Disclosure of sensitive files: configuration, source code, SSH keys, or password files.
- Leakage of credentials that enable deeper compromise.
- In write contexts, overwriting files (such as a startup script), which can escalate to code execution.
- Exposure of application secrets that undermine other defenses.
How to prevent it
The reliable approach is to canonicalize first and then check containment against an allowlisted base directory; denylisting specific sequences invites bypasses.
- Canonicalize the full path (resolve . , .. , and symbolic links) and then verify it still begins with the intended base directory.
- Validate the input against a strict allowlist; where possible, map user input to an ID or known filename rather than a raw path.
- Reject path separators and parent-directory sequences instead of trying to strip them.
- Run the process with least privilege so even a successful traversal reaches little.
- Use framework APIs that resolve and confine paths safely rather than concatenating strings.
Keep exploring
- CWE-22: Path TraversalThe MITRE weakness entry this article maps to.
- What is SSRF?Another flaw that abuses an attacker-chosen resource locator.
- What is an IDOR?A related access-control flaw using attacker-chosen identifiers.
- Browse the CWE directoryExplore the full catalog of weakness types.
- What is XXE?XML external entity injection and its impact.
- What is command injection?Running OS commands through unsanitized input.
Frequently asked questions
- What is path traversal in simple terms?
- It is when an attacker puts ../ sequences into a filename so the application reaches files outside the folder it was supposed to stay in, like reading /etc/passwd.
- What is the difference between path traversal and LFI?
- Path traversal is the underlying technique of escaping a directory. Local file inclusion (LFI) is a related issue where a traversed file is then included or executed, often combining traversal with code execution.
- How do you prevent path traversal?
- Canonicalize the resolved path and confirm it stays within an allowlisted base directory, validate input against an allowlist, avoid building paths from raw user input, and run with least privilege.
- Which CWE covers path traversal?
- Path traversal is CWE-22, Improper Limitation of a Pathname to a Restricted Directory (Path Traversal).
