CVE-2025-14306
published 2025-12-09CVE-2025-14306: A directory traversal vulnerability exists in the CacheCleaner component of Robocode version 1.9.3.6. The recursivelyDelete method fails to properly sanitize…
PriorityP260critical9.1CVSS 3.1
AVNACLPRNUINSUCNIHAH
EPSS
0.90%
55.1th percentile
A directory traversal vulnerability exists in the CacheCleaner component of Robocode version 1.9.3.6. The recursivelyDelete method fails to properly sanitize file paths, allowing attackers to traverse directories and delete arbitrary files on the system. This vulnerability can be exploited by submitting specially crafted inputs that manipulate the file path, leading to potential unauthorized file deletions. https://robo-code.blogspot.com/
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | robocode | — | — |
| robocode | robocode | — | — |
| robocode_project | robocode | — | — |
| ubuntu | robocode | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability resides in the CacheCleaner component's `recursivelyDelete` method, which fails to sanitize file paths — monitor or audit calls to this method with path inputs containing traversal sequences (e.g., `../`). ↗
- →Affected package is `net.sf.robocode:robocode.core` (specifically the `CacheCleaner` component) in Robocode version 1.9.3.6 — flag presence of this version in Java dependency inventories. ↗
- →Exploitation involves submitting specially crafted inputs that manipulate file paths — look for directory traversal patterns in inputs passed to Robocode's cache-cleaning functionality. ↗
- ·No public exploit is available as of the published date; EPSS exploitation probability is 0.6% (69th percentile). Scope is listed as local, limiting remote attack surface. ↗
- ·No fix is available for Debian 11 (bullseye), Debian 12/13 (bookworm/trixie), or Debian 14 (forky/sid) as of Dec 10, 2025; a fix exists only in Maven. ↗
- ·Vulnerability scope is local per Debian Security Tracker, meaning an attacker requires local access or the ability to supply crafted input to the running Robocode process. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:D/RE:M/U:Red
osv10.0CRITICAL
vendor_debian10.0CRITICAL
vendor_ubuntu9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Robocode vulnerable to Directory Traversal in recursivelyDelete Method
osv·2025-12-09
CVE-2025-14306 [CRITICAL] Robocode vulnerable to Directory Traversal in recursivelyDelete Method
Robocode vulnerable to Directory Traversal in recursivelyDelete Method
A directory traversal vulnerability exists in the CacheCleaner component of Robocode version 1.9.3.6. The recursivelyDelete method fails to properly sanitize file paths, allowing attackers to traverse directories and delete arbitrary files on the system. This vulnerability can be exploited by submitting specially crafted inputs that manipulate the file path, leading to potential unauthorized file deletions.
OSV
CVE-2025-14306: A directory traversal vulnerability exists in the CacheCleaner component of Robocode version 1
osv·2025-12-09·CVSS 10.0
CVE-2025-14306 [CRITICAL] CVE-2025-14306: A directory traversal vulnerability exists in the CacheCleaner component of Robocode version 1
A directory traversal vulnerability exists in the CacheCleaner component of Robocode version 1.9.3.6. The recursivelyDelete method fails to properly sanitize file paths, allowing attackers to traverse directories and delete arbitrary files on the system. This vulnerability can be exploited by submitting specially crafted inputs that manipulate the file path, leading to potential unauthorized file deletions. https://robo-code.blogspot.com/
GHSA
Robocode vulnerable to Directory Traversal in recursivelyDelete Method
ghsa·2025-12-09
CVE-2025-14306 [CRITICAL] CWE-22 Robocode vulnerable to Directory Traversal in recursivelyDelete Method
Robocode vulnerable to Directory Traversal in recursivelyDelete Method
A directory traversal vulnerability exists in the CacheCleaner component of Robocode version 1.9.3.6. The recursivelyDelete method fails to properly sanitize file paths, allowing attackers to traverse directories and delete arbitrary files on the system. This vulnerability can be exploited by submitting specially crafted inputs that manipulate the file path, leading to potential unauthorized file deletions.
Ubuntu
Robocode vulnerabilities
vendor_ubuntu·2026-06-04·CVSS 9.8
CVE-2025-14307 [CRITICAL] Robocode vulnerabilities
Title: Robocode vulnerabilities
Summary: Several security issues were fixed in Robocode.
It was discovered that Robocode could be tricked into making network
requests to attacker-controlled systems. An attacker could possibly use
this issue to cause external service interaction, resulting in
information disclosure. This issue only affected Ubuntu 16.04 LTS and
Ubuntu 18.04 LTS. (CVE-2019-10648)
Lim Sim Yee discovered that Robocode did not properly validate file
paths in the CacheCleaner component. An attacker could possibly use this
issue to delete arbitrary files. (CVE-2025-14306)
Lim Sim Yee discovered that Robocode did not securely create temporary
files in the AutoExtract component. An attacker could possibly use this
issue to manipulate temporary files, resulting in arbitrary code
Debian
CVE-2025-14306: robocode - A directory traversal vulnerability exists in the CacheCleaner component of Robo...
vendor_debian·2025·CVSS 10.0
CVE-2025-14306 [CRITICAL] CVE-2025-14306: robocode - A directory traversal vulnerability exists in the CacheCleaner component of Robo...
A directory traversal vulnerability exists in the CacheCleaner component of Robocode version 1.9.3.6. The recursivelyDelete method fails to properly sanitize file paths, allowing attackers to traverse directories and delete arbitrary files on the system. This vulnerability can be exploited by submitting specially crafted inputs that manipulate the file path, leading to potential unauthorized file deletions. https://robo-code.blogspot.com/
Scope: local
bookworm: open
bullseye: open
forky: open
sid: open
trixie: open
No detection rules found.
No public exploits indexed.
2025-12-09
Published