CWE-22 · Improper Limitation of a Pathname to a Restricted Directory

Path Traversal

CWE-22 4 case studies

Path Traversal occurs when a user-supplied filename or path is used to construct a filesystem operation without being properly sanitized. By injecting ../ sequences (or their URL-encoded equivalents), attackers navigate outside the intended directory — reading sensitive files like /etc/passwd or private keys, overwriting configuration, or in some cases achieving code execution by writing to locations where the runtime will later execute them.

It commonly appears in file upload handlers, static file servers, export features, and PDF/document generation — exactly the kind of utility code that gets added in a PR and reviewed quickly. The jsPDF path traversal (CVE-2025-68428) exploited a PDF export feature that wrote files to a path derived from user input without normalizing ../ sequences.

PullLight checks all filesystem operations (fs.readFile, fs.writeFile, path.join with user input) and flags paths that include user-controlled components without path.normalize() followed by a directory prefix check.

Case studies in this class

9.8

CVSS

CVE-2025-24813

Path Equivalence + Unsafe Deserialization in DefaultServlet

CVE-2025-24813 — Tomcat Partial PUT RCE

RCE via Partial PUT Path Equivalence

CVE-2025-24813 — Apache Tomcat Path Equivalence RCE

Path Traversal via Unsanitized File Write

CVE-2025-68428 — jsPDF Path Traversal

Arbitrary File Read via pct-decoding in claims parsing

CVE-2025-20868 — golang-jwt/jwt Claims File Read

golang-jwt/jwt

→

Frequently asked questions

What is Path Traversal?

Path Traversal (also called directory traversal) occurs when an application uses user-controlled input to construct a filesystem path without proper validation, allowing attackers to access files outside the intended directory by using sequences like ../

How do you prevent Path Traversal?

Normalize the path with path.resolve() or path.normalize(), then verify it starts with the expected base directory. Use a UUID or database-ID as the filename rather than any user-provided string. Never pass user input directly to filesystem APIs.

Can AI catch Path Traversal in code review?

Yes — AI review looks for fs.* calls where the path argument is derived from user input and checks whether proper normalization and prefix validation are present before the call.

Has PullLight caught real Path Traversal vulnerabilities?

Yes. PullLight flagged Path Traversal in jspdf (CVE-2025-68428, CVSS 9.2) and identified path equivalence issues in Apache Tomcat (CVE-2025-24813) and golang-jwt claims parsing (CVE-2025-20868).

PullLight catches Path Traversal in live code review.
Hooks into GitHub PRs automatically — flags taint flows, not just lint rules.

Try the live demo →

See an example review comment: Browse AI code review examples →