OWASP A01 · Broken Access ControlCWE-22 Path TraversalHigh
Path traversal — ../ into arbitrary file read
User-controlled filenames with ../ escape the intended directory and read system files.
What happened
Path traversal (CWE-22) is one of the most actively exploited classes of 2025, showing up in file-download and template endpoints. A `?file=../../../../etc/passwd` reads outside the intended folder because the app joins user input to a base path without normalizing.
The code
✕ Vulnerable — Path traversal
app.get("/download", (req, res) => {
res.sendFile(path.join(BASE, req.query.file)); // ../ escapes BASE
});✓ Fixed — Path traversal
app.get("/download", (req, res) => {
const full = path.resolve(BASE, req.query.file);
if (!full.startsWith(BASE + path.sep)) return res.sendStatus(400);
res.sendFile(full); // resolve, then confirm it's still under BASE
});References
Educational case study. The "vulnerable" snippet is a minimal teaching example, not a working exploit. Benteng · a Palu Gada tool.