nginx merge slashes path traversal

Mohammed Amer
1 min readDec 31, 2021

Well Hello,

This is my first Write-up about path traversal that I find in the DoD I hope you enjoy it while you read it.


A vulnerability in the remote Nginx server could cause the server to merge /slash slash/ together causing what should have protected the website from a directory traversal vulnerability into a vulnerable server.

first of all, this issue can’t be Reproduce via the browser so you need to use another way by using a burp suite:

GET ///////../../../etc/passwd


In order to exploit the traversal vulnerability in this app, you can request a file from a directory one level up by using the ‘///////../../../’ notation. Here we request the etc/passwd file directly from the server.

How did we determine that merge_slashes is ‘off’:

Within the NGINX documentation, we are able to see that the merge_slashes default value is “On”. Therefore two or more ‘/’ characters will be normalized into one ‘/’ character.

Enables or disables compression of two or more adjacent slashes in a URI into a single slash.

Syntax: merge_slashes on | off;
Default: merge_slashes on;
Context: http, server

When the merge_slashes configuration is turned on, using multiple slashes ‘///’ did not allow us to exploit that vulnerability successfully.