CVE-2025-14306

NameCVE-2025-14306
DescriptionA directory traversal vulnerability exists in the CacheCleaner component of Robocode version 1.9.3.6. The recursivelyDelete method fails to properly sanitize file paths, allowing attackers to traverse directories and delete arbitrary files on the system. This vulnerability can be exploited by submitting specially crafted inputs that manipulate the file path, leading to potential unauthorized file deletions. https://robo-code.blogspot.com/
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1122289

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
robocode (PTS)bullseye1.9.3.9-2vulnerable
bookworm1.9.3.9-3vulnerable
forky, sid, trixie1.9.3.9-4vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
robocodesource(unstable)(unfixed)1122289

Notes

https://github.com/robo-code/robocode/pull/67
Fixed by: https://github.com/robo-code/robocode/commit/26b6ba8ed5b2a11a646ce2d5da8d42cd53574b1f (VER_1_9_5_6)
Search for package or bug name: Reporting problems