CWE-23
AllowedRelative Path Traversal
Abstraction: Base · Status: Draft
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
778 vulnerabilities reference this CWE, most recent first.
GHSA-V364-RR92-9X6X
Vulnerability from github – Published: 2022-04-14 00:00 – Updated: 2022-04-22 00:01** UNSUPPORTED WHEN ASSIGNED ** A post-authentication arbitrary file read vulnerability impacting end-of-life Secure Remote Access (SRA) products and older firmware versions of Secure Mobile Access (SMA) 100 series products, specifically the SRA appliances running all 8.x, 9.0.0.5-19sv and earlier versions and Secure Mobile Access (SMA) 100 series products running older firmware 9.0.0.9-26sv and earlier versions.
{
"affected": [],
"aliases": [
"CVE-2022-22279"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-23",
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-13T06:15:00Z",
"severity": "MODERATE"
},
"details": "** UNSUPPORTED WHEN ASSIGNED ** A post-authentication arbitrary file read vulnerability impacting end-of-life Secure Remote Access (SRA) products and older firmware versions of Secure Mobile Access (SMA) 100 series products, specifically the SRA appliances running all 8.x, 9.0.0.5-19sv and earlier versions and Secure Mobile Access (SMA) 100 series products running older firmware 9.0.0.9-26sv and earlier versions.",
"id": "GHSA-v364-rr92-9x6x",
"modified": "2022-04-22T00:01:09Z",
"published": "2022-04-14T00:00:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22279"
},
{
"type": "WEB",
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0006"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V3F4-7PP9-6F99
Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32A vulnerability in the sanitize_path function in parisneo/lollms-webui v10 - latest allows an attacker to bypass path sanitization by using relative paths such as './'. This can lead to unauthorized access to directories within the personality_folder on the victim's computer.
{
"affected": [],
"aliases": [
"CVE-2024-7058"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-20T10:15:36Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the sanitize_path function in parisneo/lollms-webui v10 - latest allows an attacker to bypass path sanitization by using relative paths such as \u0027./\u0027. This can lead to unauthorized access to directories within the personality_folder on the victim\u0027s computer.",
"id": "GHSA-v3f4-7pp9-6f99",
"modified": "2025-03-20T12:32:46Z",
"published": "2025-03-20T12:32:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7058"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/148fce03-0f5a-4939-b636-b7f9848765e4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V45H-MQF4-6939
Vulnerability from github – Published: 2026-05-28 12:30 – Updated: 2026-07-01 22:08Relative Path Traversal vulnerability in Apache Ignite REST API.
Authenticated REST API users can read any file on the server with "cmd=log" command and a log path crafted in a certain way. This issue affects Apache Ignite: from 2.0.0 through 2.17.0.
Users are recommended to upgrade to version 2.18.0, which fixes the issue.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.ignite:ignite-core"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.18.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-48977"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-01T22:08:33Z",
"nvd_published_at": "2026-05-28T10:16:23Z",
"severity": "HIGH"
},
"details": "Relative Path Traversal vulnerability in Apache Ignite REST API.\n\nAuthenticated REST API users can read any file on the server with \"cmd=log\" command and a log path crafted in a certain way.\nThis issue affects Apache Ignite: from 2.0.0 through 2.17.0.\n\nUsers are recommended to upgrade to version 2.18.0, which fixes the issue.",
"id": "GHSA-v45h-mqf4-6939",
"modified": "2026-07-01T22:08:34Z",
"published": "2026-05-28T12:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48977"
},
{
"type": "WEB",
"url": "https://github.com/apache/ignite/commit/5c42c7a303937844179ad470edb35c1ad1cee6ab"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/ignite"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/hgct6918sowd8l58yjohryhpxx81t4n1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/05/28/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "Apache Ignite REST API Has a Relative Path Traversal Vulnerability"
}
GHSA-V53G-5GJP-272R
Vulnerability from github – Published: 2024-02-15 15:34 – Updated: 2024-02-15 15:34A Helm contributor discovered a path traversal vulnerability when Helm saves a chart including at download time.
Impact
When either the Helm client or SDK is used to save a chart whose name within the Chart.yaml file includes a relative path change, the chart would be saved outside its expected directory based on the changes in the relative path. The validation and linting did not detect the path changes in the name.
Patches
This issue has been resolved in Helm v3.14.1.
Workarounds
Check all charts used by Helm for path changes in their name as found in the Chart.yaml file. This includes dependencies.
Credits
Disclosed by Dominykas Blyžė at Nearform Ltd.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.14.0"
},
"package": {
"ecosystem": "Go",
"name": "helm.sh/helm/v3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.14.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-25620"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-23"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-15T15:34:40Z",
"nvd_published_at": "2024-02-15T00:15:45Z",
"severity": "MODERATE"
},
"details": "A Helm contributor discovered a path traversal vulnerability when Helm saves a chart including at download time.\n\n### Impact\n\nWhen either the Helm client or SDK is used to save a chart whose name within the `Chart.yaml` file includes a relative path change, the chart would be saved outside its expected directory based on the changes in the relative path. The validation and linting did not detect the path changes in the name.\n\n### Patches\n\nThis issue has been resolved in Helm v3.14.1.\n\n### Workarounds\n\nCheck all charts used by Helm for path changes in their name as found in the `Chart.yaml` file. This includes dependencies.\n\n### Credits\n\nDisclosed by Dominykas Bly\u017e\u0117 at Nearform Ltd.",
"id": "GHSA-v53g-5gjp-272r",
"modified": "2024-02-15T15:34:40Z",
"published": "2024-02-15T15:34:40Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/helm/helm/security/advisories/GHSA-v53g-5gjp-272r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25620"
},
{
"type": "WEB",
"url": "https://github.com/helm/helm/commit/0d0f91d1ce277b2c8766cdc4c7aa04dbafbf2503"
},
{
"type": "PACKAGE",
"url": "https://github.com/helm/helm"
},
{
"type": "WEB",
"url": "https://github.com/helm/helm/releases/tag/v3.14.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Helm dependency management path traversal"
}
GHSA-V5CP-F652-48W9
Vulnerability from github – Published: 2023-02-28 18:30 – Updated: 2023-03-09 21:30Relative Path Traversal vulnerability in ForgeRock Access Management Java Policy Agent allows Authentication Bypass.This issue affects Access Management Java Policy Agent: from 1.0.0 through 5.10.1.
{
"affected": [],
"aliases": [
"CVE-2023-0511"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-28T17:15:00Z",
"severity": "CRITICAL"
},
"details": "Relative Path Traversal vulnerability in ForgeRock Access Management Java Policy Agent allows Authentication Bypass.This issue affects Access Management Java Policy Agent: from 1.0.0 through 5.10.1.",
"id": "GHSA-v5cp-f652-48w9",
"modified": "2023-03-09T21:30:19Z",
"published": "2023-02-28T18:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0511"
},
{
"type": "WEB",
"url": "https://backstage.forgerock.com/downloads/browse/am/featured/java-agents"
},
{
"type": "WEB",
"url": "https://backstage.forgerock.com/knowledge/kb/article/a21576868"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V5H7-6V7V-X933
Vulnerability from github – Published: 2026-07-03 21:31 – Updated: 2026-07-03 21:31Relative path traversal in Microsoft Edge for Android allows an unauthorized attacker to disclose information locally.
{
"affected": [],
"aliases": [
"CVE-2026-58522"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-03T21:17:05Z",
"severity": "MODERATE"
},
"details": "Relative path traversal in Microsoft Edge for Android allows an unauthorized attacker to disclose information locally.",
"id": "GHSA-v5h7-6v7v-x933",
"modified": "2026-07-03T21:31:41Z",
"published": "2026-07-03T21:31:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58522"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58522"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V5XG-69CV-GVWX
Vulnerability from github – Published: 2025-09-23 21:30 – Updated: 2025-09-23 21:30The eHRD CTMS developed by Sunnet has an Arbitrary File Reading vulnerability, allowing remote attackers with administrator privileges to exploit Relative Path Traversal to download arbitrary system files.
{
"affected": [],
"aliases": [
"CVE-2025-9570"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-01T04:15:51Z",
"severity": "MODERATE"
},
"details": "The eHRD CTMS developed by Sunnet has an Arbitrary File Reading vulnerability, allowing remote attackers with administrator privileges to exploit Relative Path Traversal to download arbitrary system files.",
"id": "GHSA-v5xg-69cv-gvwx",
"modified": "2025-09-23T21:30:54Z",
"published": "2025-09-23T21:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9570"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/en/cp-139-10357-7de41-2.html"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-10356-ea431-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-V6JM-V768-76H2
Vulnerability from github – Published: 2023-10-04 12:30 – Updated: 2024-04-04 08:16Relative path traversal vulnerability in Setelsa Security's ConacWin CB, in its 3.8.2.2 version and earlier, the exploitation of which could allow an attacker to perform an arbitrary download of files from the system via the "Download file" parameter.
{
"affected": [],
"aliases": [
"CVE-2023-3512"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-04T11:15:10Z",
"severity": "HIGH"
},
"details": "Relative path traversal vulnerability in Setelsa Security\u0027s ConacWin CB, in its 3.8.2.2 version and earlier, the exploitation of which could allow an attacker to perform an arbitrary download of files from the system via the \"Download file\" parameter.",
"id": "GHSA-v6jm-v768-76h2",
"modified": "2024-04-04T08:16:01Z",
"published": "2023-10-04T12:30:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3512"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-v6jm-v768-76h2"
},
{
"type": "WEB",
"url": "https://https://www.incibe.es/en/incibe-cert/notices/aviso/relative-path-traversal-setelsa-security-conacwin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V6QH-PM8G-3C5W
Vulnerability from github – Published: 2026-07-07 12:31 – Updated: 2026-07-07 12:31A path traversal flaw was found in SSSD's AD GPO provider. The ad_gpo_extract_smb_components() function does not sanitize .. sequences in the gPCFileSysPath LDAP attribute, allowing an attacker with AD GPO management access to write files outside the GPO cache directory as root. On default RHEL configurations with SELinux enforcing, this can be used to inject Kerberos configuration leading to authentication bypass.
{
"affected": [],
"aliases": [
"CVE-2026-14476"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-07T10:16:39Z",
"severity": "HIGH"
},
"details": "A path traversal flaw was found in SSSD\u0027s AD GPO provider. The ad_gpo_extract_smb_components() function does not sanitize .. sequences in the gPCFileSysPath LDAP attribute, allowing an attacker with AD GPO management access to write files outside the GPO cache directory as root. On default RHEL configurations with SELinux enforcing, this can be used to inject Kerberos configuration leading to authentication bypass.",
"id": "GHSA-v6qh-pm8g-3c5w",
"modified": "2026-07-07T12:31:35Z",
"published": "2026-07-07T12:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14476"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-14476"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2496581"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V78G-P78J-5486
Vulnerability from github – Published: 2023-09-11 21:30 – Updated: 2023-09-11 21:30Relative Path Traversal in GitHub repository mintplex-labs/anything-llm prior to 0.0.1.
{
"affected": [],
"aliases": [
"CVE-2023-4897"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-11T21:15:42Z",
"severity": "HIGH"
},
"details": "Relative Path Traversal in GitHub repository mintplex-labs/anything-llm prior to 0.0.1.",
"id": "GHSA-v78g-p78j-5486",
"modified": "2023-09-11T21:30:17Z",
"published": "2023-09-11T21:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4897"
},
{
"type": "WEB",
"url": "https://github.com/mintplex-labs/anything-llm/commit/3c88aec034934bcbad30c5ef1cab62cbbdb98e64"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/0631af48-84a3-4019-85db-f0f8b12cb0ab"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5.1
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
- Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-20.1
Strategy: Input Validation
- Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
- Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59). This includes:
- realpath() in C
- getCanonicalPath() in Java
- GetFullPath() in ASP.NET
- realpath() or abs_path() in Perl
- realpath() in PHP
Mitigation MIT-29
Strategy: Firewall
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-139: Relative Path Traversal
An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.