CWE-73 Base Draft High likelihood

External Control of File Name or Path

This vulnerability occurs when an application uses unvalidated user input to construct file or directory paths for filesystem operations.

Definition

What is CWE-73?

This vulnerability occurs when an application uses unvalidated user input to construct file or directory paths for filesystem operations.
Path manipulation vulnerabilities arise when an attacker can control the path used in operations like reading, writing, or deleting files. By crafting special inputs containing sequences like '../' (directory traversal), they can force the application to access files or directories outside the intended, restricted location. This can lead to unauthorized access to sensitive system files, application source code, or configuration data. For a successful attack, two conditions must be met: the attacker must be able to specify the path used in a filesystem operation, and doing so must grant them a capability they shouldn't have, such as overwriting a critical file, reading private data, or forcing the application to use a malicious configuration file. The core defense is to never trust user input for path construction; instead, use allowlists, canonicalize paths, and then validate them against a strict list of permitted directories.
Real-world impact

Real-world CVEs caused by CWE-73

  • CVE-2022-45918

    Chain: a learning management tool debugger uses external input to locate previous session logs (CWE-73) and does not properly validate the given path (CWE-20), allowing for filesystem path traversal using "../" sequences (CWE-24)

  • CVE-2008-5748

    Chain: external control of values for user's desired language and theme enables path traversal.

  • CVE-2008-5764

    Chain: external control of user's target language enables remote file inclusion.

How attackers exploit it

Step-by-step attacker path

  1. 1

    Identify a code path that handles untrusted input without validation.

  2. 2

    Craft a payload that exercises the unsafe behavior — injection, traversal, overflow, or logic abuse.

  3. 3

    Deliver the payload through a normal request and observe the application's reaction.

  4. 4

    Iterate until the response leaks data, executes attacker code, or escalates privileges.

Vulnerable code example

Vulnerable Java

The following code uses input from an HTTP request to create a file name. The programmer has not considered the possibility that an attacker could provide a file name such as "../../tomcat/conf/server.xml", which causes the application to delete one of its own configuration files (CWE-22).

Vulnerable Java 
String rName = request.getParameter("reportName");
  File rFile = new File("/usr/local/apfr/reports/" + rName);
  ...
  rFile.delete();
Secure code example

Secure pseudo

Secure pseudo 
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Prevention checklist

How to prevent CWE-73

  • Architecture and Design When the set of filenames is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames, and reject all other inputs. For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap provide this capability.
  • Architecture and Design / Operation Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict all access to files within a particular directory. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.
  • Architecture and Design For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
  • Implementation Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
  • Implementation Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59).
  • Installation / Operation Use OS-level permissions and run as a low-privileged user to limit the scope of any successful attack.
  • Operation / Implementation If you are using PHP, configure your application so that it does not use register_globals. During implementation, develop your application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.
  • Testing Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.
Detection signals

How to detect CWE-73

Automated Static Analysis

The external control or influence of filenames can often be detected using automated static analysis that models data flow within the product. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes.

Plexicus auto-fix

Plexicus auto-detects CWE-73 and opens a fix PR in under 60 seconds.

Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.

Get a demo Try Plexicus free
Frequently asked questions

Frequently asked questions

What is CWE-73?

This vulnerability occurs when an application uses unvalidated user input to construct file or directory paths for filesystem operations.

How serious is CWE-73?

MITRE rates the likelihood of exploit as High — this weakness is actively exploited in the wild and should be prioritized for remediation.

What languages or platforms are affected by CWE-73?

MITRE lists the following affected platforms: Unix, Windows, macOS.

How can I prevent CWE-73?

When the set of filenames is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames, and reject all other inputs. For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap provide this capability. Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict all…

How does Plexicus detect and fix CWE-73?

Plexicus's SAST engine matches the data-flow signature for CWE-73 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.

Where can I learn more about CWE-73?

MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/73.html. You can also reference OWASP and NIST documentation for adjacent guidance.

Related weaknesses

Weaknesses related to CWE-73

CWE-642 Parent

External Control of Critical State Data

This vulnerability occurs when an application stores security-sensitive state data in locations that unauthorized users can access and…

CWE-15 Sibling

External Control of System or Configuration Setting

This vulnerability occurs when an application allows users to directly modify critical system settings or configuration values from an…

CWE-426 Sibling

Untrusted Search Path

This vulnerability occurs when an application relies on an external search path, provided by a user or environment, to find and load…

CWE-472 Sibling

External Control of Assumed-Immutable Web Parameter

This vulnerability occurs when a web application incorrectly trusts data that appears to be fixed or hidden from the user, such as values…

CWE-565 Sibling

Reliance on Cookies without Validation and Integrity Checking

This vulnerability occurs when an application uses cookies to make security decisions—like granting access or changing settings—but fails…

CWE-22 Can precede

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

This vulnerability occurs when an application builds a file path using user input but fails to properly validate it, allowing an attacker…

CWE-41 Can precede

Improper Resolution of Path Equivalence

This vulnerability occurs when an application fails to properly handle different text representations that refer to the same file or…

CWE-98 Can precede

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

This vulnerability occurs when a PHP application uses unvalidated or insufficiently restricted user input directly within file inclusion…

CWE-434 Can precede

Unrestricted Upload of File with Dangerous Type

This vulnerability occurs when an application accepts file uploads without properly restricting the file types, allowing attackers to…

Resources

Further reading

Ready when you are

Don't Let Security
Weigh You Down.

Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.