CWE-23 is MITRE’s classification for relative path traversal weaknesses. It describes a flaw where an application uses user-controlled input to build a file path without properly checking where that path resolves. An attacker can supply sequences such as ../ to escape the intended directory and access files elsewhere on the system.
This matters because file-handling bugs can expose sensitive data, overwrite configuration, or plant malicious content. In real attacks, path traversal is often used to read secrets, tamper with logs, or reach privileged files through upload, download, or transfer features. Defenders prevent CWE-23 issues by canonicalizing paths, enforcing allowlists, rejecting traversal tokens, and verifying that the final resolved path stays inside an approved directory. Running the service with least privilege limits the damage if a traversal flaw is missed.