cbcvebase.
CVE-2025-14306
published 2025-12-09

CVE-2025-14306: A directory traversal vulnerability exists in the CacheCleaner component of Robocode version 1.9.3.6. The recursivelyDelete method fails to properly sanitize…

PriorityP260critical9.1CVSS 3.1
AVNACLPRNUINSUCNIHAH
EPSS
0.90%
55.1th percentile
A directory traversal vulnerability exists in the CacheCleaner component of Robocode version 1.9.3.6. The recursivelyDelete method fails to properly sanitize file paths, allowing attackers to traverse directories and delete arbitrary files on the system. This vulnerability can be exploited by submitting specially crafted inputs that manipulate the file path, leading to potential unauthorized file deletions. https://robo-code.blogspot.com/

Affected

4 ranges
VendorProductVersion rangeFixed in
debianrobocode
robocoderobocode
robocode_projectrobocode
ubunturobocode

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability resides in the CacheCleaner component's `recursivelyDelete` method, which fails to sanitize file paths — monitor or audit calls to this method with path inputs containing traversal sequences (e.g., `../`).
  • Affected package is `net.sf.robocode:robocode.core` (specifically the `CacheCleaner` component) in Robocode version 1.9.3.6 — flag presence of this version in Java dependency inventories.
  • Exploitation involves submitting specially crafted inputs that manipulate file paths — look for directory traversal patterns in inputs passed to Robocode's cache-cleaning functionality.
  • ·No public exploit is available as of the published date; EPSS exploitation probability is 0.6% (69th percentile). Scope is listed as local, limiting remote attack surface.
  • ·No fix is available for Debian 11 (bullseye), Debian 12/13 (bookworm/trixie), or Debian 14 (forky/sid) as of Dec 10, 2025; a fix exists only in Maven.
  • ·Vulnerability scope is local per Debian Security Tracker, meaning an attacker requires local access or the ability to supply crafted input to the running Robocode process.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:D/RE:M/U:Red
osv10.0CRITICAL
vendor_debian10.0CRITICAL
vendor_ubuntu9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.