Cyber Resilience

CWE · MITRE source

CWE-24Path Traversal: '../filedir'

Abstraction: Variant · CVEs in our corpus: 111

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "../" sequences that can resolve to a location that is outside of that directory.

This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. The "../" manipulation is the canonical manipulation for operating systems that use "/" as directory separators, such as UNIX- and Linux-based systems. In some cases, it is useful for bypassing protection schemes in environments for which "/" is supported but not the primary separator, such as Windows, which uses "\" but can also accept "/".

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: partial · 2 mapping(s) from 1 framework(s): ATT&CK 2 (partial)

See the full cumulative-coverage rollup →

NIST 800-53 r5 controls that address this weakness (0)AI

Control Title Family Why it addresses this CWE
No NIST controls proposed yet.

MITRE ATT&CK techniques this weakness enables

Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.

Direction: other covers this; this covers other (F/M/P = full / mostly / partial).

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2025-27920 KEV UPD10.07.20.01812025-05-05
CVE-2022-381297.09.80.18382022-08-10
CVE-2023-66997.09.10.00872024-01-11
CVE-2025-613187.09.10.00612025-12-08
CVE-2026-398137.09.80.16742026-04-14
CVE-2025-603446.08.60.10272025-10-21
CVE-2021-267255.57.20.01062021-02-22
CVE-2020-78825.57.50.01212021-11-22
CVE-2021-330365.58.80.03252022-06-15
CVE-2022-360655.57.50.01062022-09-06
CVE-2023-18005.57.30.03522023-04-02
CVE-2023-520765.58.50.01022024-01-25
CVE-2024-22079 UPD5.57.50.01022024-03-20
CVE-2024-236575.58.80.01142024-08-05
CVE-2025-48050 UPD5.57.50.00392025-05-15
CVE-2025-53513 UPD5.58.80.00652025-07-08
CVE-2025-54769 UPD5.58.80.03042025-07-29
CVE-2025-590495.57.50.01662025-09-10
CVE-2025-576185.57.30.00652025-10-14
CVE-2023-536915.58.30.01172025-10-22
CVE-2025-632985.58.20.00472025-10-30
CVE-2025-516615.57.50.00462025-11-19
CVE-2025-673645.57.50.00582026-01-07
CVE-2026-284275.57.50.00432026-03-04
CVE-2026-41082 UPD5.57.30.00182026-04-16