CVE-2025-14306

CRITICAL9.1EPSS 0.64%

Robocode vulnerable to Directory Traversal in recursivelyDelete Method

Published: 12/9/2025Modified: 6/2/2026

Description

A directory traversal vulnerability exists in the CacheCleaner component of Robocode version 1.9.3.6. The recursivelyDelete method fails to properly sanitize file paths, allowing attackers to traverse directories and delete arbitrary files on the system. This vulnerability can be exploited by submitting specially crafted inputs that manipulate the file path, leading to potential unauthorized file deletions. https://robo-code.blogspot.com/

Affected packages (2)

Debian/robocodefrom 0
Maven/net.sf.robocode:robocode.corefrom 0, < 1.9.5.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/R:U/V:D/RE:M/U:Red
osv	CVSS 3.1	CRITICAL9.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-14306
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2025-14306
PATCHhttps://github.com/robo-code/robocode
WEBhttps://github.com/robo-code/robocode/commit/26b6ba8ed5b2a11a646ce2d5da8d42cd53574b1f
WEBhttps://github.com/robo-code/robocode/pull/67