High SeverityA01:2021 - Broken Access ControlCWE-22

How to Fix Path Traversal in Spring Boot

Learn how to prevent and fix Path Traversal vulnerabilities in Spring Boot applications. Step-by-step guide with code examples, security checklists, and best practices.

What Is Path Traversal?

Path Traversal (also known as directory traversal or dot-dot-slash attacks) is a vulnerability that allows attackers to read, and sometimes write, arbitrary files on the server by manipulating file path references. The attack uses special characters like `../` (parent directory) to navigate outside the intended directory.

For example, if an application serves files from `/app/uploads/` based on user input, an attacker might request `../../../etc/passwd` to read the system's password file. The vulnerability occurs when applications use user-supplied input to construct file paths without proper validation or sandboxing.

In Node.js applications, path traversal can occur in: file upload/download handlers that use user-supplied filenames; static file serving that does not properly restrict the base directory; template rendering that accepts user-controlled template paths; and API routes that read configuration files based on user input. Next.js API routes and server components that handle file operations are potential attack surfaces.

Why It Matters

Path traversal can expose the entire server filesystem to an attacker. Sensitive files that might be accessed include application source code, configuration files with database credentials and API keys, environment files (.env), private keys and certificates, user-uploaded data belonging to other users, and operating system files. If write access is also possible, attackers can overwrite configuration files, inject malicious code, or create web shells. In containerized environments, path traversal might allow container escape if not properly sandboxed.

How to Fix It in Spring Boot

Never use user-supplied input directly in file path construction. Use a whitelist of allowed filenames or identifiers that map to actual file paths. Resolve the final path using `path.resolve()` and verify it falls within the expected base directory. Strip or reject path traversal sequences (../, ..\, and URL-encoded variants). Use `path.basename()` to extract just the filename from user input. Implement chroot jails or use containerization to limit filesystem access. Set restrictive file system permissions -- the application should only have access to directories it needs. For file uploads, generate random filenames rather than using user-supplied names.

Spring Boot-Specific Advice

Use Spring Security for authentication and authorization. Configure it properly -- the default configuration may be too permissive or too restrictive.
Use JPA/Hibernate with parameterized queries. Avoid `@Query` with string concatenation and native queries with user input.
Spring Security includes CSRF protection by default for server-rendered forms. Keep it enabled for session-based authentication.
Use `@Valid` and Bean Validation annotations (`@NotNull`, `@Size`, `@Pattern`) on request DTOs for input validation.

Spring Boot Security Checklist for Path Traversal

Audit all file system operations that use user-supplied input

Resolve file paths and verify they fall within the expected base directory

Use path.basename() to extract filenames from user input

Reject paths containing traversal sequences (../, ..\)

Generate random filenames for uploaded files rather than using user-supplied names

Set restrictive file system permissions on the application's directories

Run SafeVibe's path traversal scan on your Spring Boot application

Spring Boot Security Best Practices

Use Spring Security for authentication and authorization. Configure it properly -- the default configuration may be too permissive or too restrictive.

Use JPA/Hibernate with parameterized queries. Avoid `@Query` with string concatenation and native queries with user input.

Spring Security includes CSRF protection by default for server-rendered forms. Keep it enabled for session-based authentication.

Use `@Valid` and Bean Validation annotations (`@NotNull`, `@Size`, `@Pattern`) on request DTOs for input validation.

Disable Spring Boot Actuator endpoints in production or protect them with authentication. Actuator can expose sensitive internals.

Use Spring Security's password encoder (BCryptPasswordEncoder) for password hashing. Never use MD5 or SHA for passwords.

Configure CORS using `@CrossOrigin` annotations or `WebMvcConfigurer` with explicit allowed origins.

Use `spring-boot-starter-security` and configure `SecurityFilterChain` with method-level security (`@PreAuthorize`) for fine-grained access control.

Scan Your Spring Boot App with SafeVibe

Stop guessing if your Spring Boot app is vulnerable to Path Traversal. Run an automated penetration test in minutes and get actionable results.

Start Free Scan

Related Guides

Path Traversal in Other Frameworks

Express FastAPI Django Ruby on Rails

View all Path Traversal guides

More Spring Boot Security Guides

Cross-Site Scripting (XSS)SQL Injection Cross-Site Request Forgery (CSRF)Insecure Direct Object References (IDOR)

View all Spring Boot guides

What Is Path Traversal?

Why It Matters

How to Fix It in Spring Boot

Spring Boot-Specific Advice

Use Spring Security for authentication and authorization. Configure it properly -- the default configuration may be too permissive or too restrictive.
Use JPA/Hibernate with parameterized queries. Avoid `@Query` with string concatenation and native queries with user input.
Spring Security includes CSRF protection by default for server-rendered forms. Keep it enabled for session-based authentication.
Use `@Valid` and Bean Validation annotations (`@NotNull`, `@Size`, `@Pattern`) on request DTOs for input validation.