Path traversal — also called directory traversal or "dot-dot-slash" — is a vulnerability class tracked as CWE-22 that lets an attacker manipulate file path input to read, write, or execute files outside a web application's intended directory. It has been on the OWASP Top 10 in some form for over two decades, yet it keeps landing in CVE databases with critical severity scores. In October 2021, a single path normalization bug in Apache HTTP Server 2.4.49 (CVE-2021-41773) went from disclosure to active mass exploitation in under 72 hours, ultimately escalating to remote code execution on unpatched hosts. In 2019, path traversal in Citrix ADC (CVE-2019-19781) was linked to ransomware deployments across hundreds of organizations. This post breaks down how path traversal actually works, walks through named CVEs with dates and CVSS scores, and explains why the bug class refuses to die.
What Is a Path Traversal Vulnerability?
A path traversal vulnerability occurs when an application uses attacker-controlled input to build a file system path without properly validating or sanitizing sequences like ../, allowing access to files outside the intended directory. The classic payload looks like GET /images?file=../../../../etc/passwd, where each ../ walks the resolved path one directory up until it escapes the web root and lands in a sensitive location such as /etc/passwd, C:\Windows\win.ini, or an application's configuration files containing database credentials. MITRE's CWE-22 entry has existed since the CWE list's earliest versions because the underlying flaw — trusting user input to construct a filesystem path — appears anywhere an app reads uploaded files, serves static assets, processes ZIP archives, or resolves template names. Variants include absolute path injection, null-byte truncation (file.txt%00.jpg), and encoded traversal (%2e%2e%2f or double-encoded %252e%252e%252f) used specifically to slip past naive filters that only strip the literal ../ string once.
How Does a Path Traversal Attack Actually Work in Practice?
A path traversal attack works by chaining an unsanitized filename or path parameter to a filesystem or archive-extraction call so the resolved path lands outside the sandboxed directory the developer intended. Take a typical file-download endpoint: downloadReport(filename) concatenates "/var/app/reports/" + filename and opens the result. If filename arrives as ../../../../etc/shadow, string concatenation produces /var/app/reports/../../../../etc/shadow, which the OS resolves straight to /etc/shadow. The same mechanic powers "Zip Slip," a vulnerability class documented by Snyk researchers in 2018 across more than 30 libraries in Java, JavaScript, .NET, Go, and Python: a malicious archive contains an entry named ../../../../root/.ssh/authorized_keys, and a naive extraction loop writes that entry wherever the traversal points, turning a file upload feature into remote code execution. In both cases, the vulnerability isn't the ../ characters themselves — it's the missing step of canonicalizing the resolved path and verifying it still sits inside an allow-listed base directory before touching the filesystem.
What Real-World Breaches Trace Back to Path Traversal?
Several high-severity CVEs from 2017 through 2024 trace directly back to path traversal, and the pattern spans web servers, VPN gateways, and load balancers. CVE-2021-41773, disclosed on October 5, 2021, affected Apache HTTP Server 2.4.49 and scored 7.5 on CVSS 3.1 for path disclosure alone — but combined with mod-cgi enabled, it escalated (via the related CVE-2021-42013) to full remote code execution, and mass scanning began within a day of the advisory. CVE-2019-19781, the "Citrix ADC/Gateway" bug disclosed December 17, 2019, let unauthenticated attackers traverse to sensitive Perl scripts and chain into RCE; by January 2020 it was tied to ransomware intrusions at multiple enterprises and scored 9.8 CVSS. CVE-2018-13379, a path traversal in the FortiOS SSL VPN web portal, was still being actively exploited by ransomware affiliates as late as 2021 and made both CISA's and the FBI's top-exploited-vulnerabilities advisories for that year. CVE-2020-5902, in F5 BIG-IP's Traffic Management User Interface, combined path traversal with RCE and carried a CVSS score of 10.0 — the maximum possible. Even IIS wasn't spared: CVE-2017-7269, in a WebDAV component, was exploited in the wild years after patches shipped because so many internet-facing servers were never updated.
Why Do Path Traversal Bugs Still Get Introduced in 2026?
Path traversal bugs keep appearing because modern applications reintroduce the same trust boundary problem in new contexts — cloud storage SDKs, container image layers, LLM plugin file tools, and CI/CD artifact handling — faster than teams update their input-validation habits. Static filters that block a literal ../ are routinely bypassed by URL-encoding (%2e%2e%2f), overlong UTF-8 encoding, or mixing separators (..\/) on platforms that normalize both / and \. Framework "fixes" have also backfired: the Apache 2.4.49 bug existed specifically because a code change to path canonicalization introduced a regression that reopened a traversal path closed years earlier, showing that even mature, security-hardened codebases regress. Add in third-party and transitive dependencies — the Zip Slip research alone touched libraries embedded in countless downstream applications that had no idea they inherited the flaw — and a single unpatched library can reintroduce CWE-22 across dozens of products that never wrote a line of vulnerable code themselves.
How Do You Detect and Prevent Path Traversal Vulnerabilities?
You prevent path traversal by resolving the requested path to its canonical absolute form and verifying it is still contained within an explicit allow-listed base directory before any file operation runs — not by blacklisting ../ strings. Concretely: use language-provided canonicalization (realpath() in PHP, Path.GetFullPath in .NET, os.path.realpath in Python, filepath.Clean in Go) and then check with a prefix comparison, not a substring match, that the result starts with the intended root. Map user-supplied filenames to internal IDs or a lookup table instead of passing raw strings into filesystem calls wherever possible. For archive extraction, validate every entry's resolved path before writing — the exact control that was missing in the 2018 Zip Slip disclosures. Detection-side, dependency and SAST scanning should flag CWE-22 patterns pre-merge, but static analysis alone misses whether the vulnerable code path is actually reachable from an untrusted input in your specific deployment, which is where a large share of scanner-reported path traversal findings turn out to be false positives or dead code in practice.
How Safeguard Helps
Safeguard's reachability analysis traces whether a reported CWE-22 finding sits on a path actually exercised by untrusted input in your running application, cutting through the noise of scanners that flag every string-concatenated file path regardless of exploitability. Griffin AI reviews the surrounding code to confirm whether canonicalization and allow-list checks are present before a fix is proposed, so teams aren't re-triaging findings a human already ruled out. Safeguard generates and ingests SBOMs to track which of your dependencies bundle known-vulnerable file-handling or archive-extraction libraries — the same class of transitive risk that made Zip Slip span 30+ libraries in 2018 — and correlates that inventory against active CVEs like CVE-2021-41773 and CVE-2018-13379. When a real, reachable path traversal issue is confirmed, Safeguard opens an auto-fix pull request with the canonicalization and base-directory check applied inline, so the fix ships in the same review cycle instead of sitting in a backlog.