CVE-2025-14306

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-14306
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-14306.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-14306
Aliases
Downstream
Published
2025-12-09T16:17:38.477Z
Modified
2026-03-14T12:41:45.964001Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVSS Calculator
Summary
[none]
Details

A directory traversal vulnerability exists in the CacheCleaner component of Robocode version 1.9.3.6. The recursivelyDelete method fails to properly sanitize file paths, allowing attackers to traverse directories and delete arbitrary files on the system. This vulnerability can be exploited by submitting specially crafted inputs that manipulate the file path, leading to potential unauthorized file deletions. https://robo-code.blogspot.com/

References

Affected packages

Git / github.com/robo-code/robocode

Affected ranges

Type
GIT
Repo
https://github.com/robo-code/robocode
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
26b6ba8ed5b2a11a646ce2d5da8d42cd53574b1f

Affected versions

1.*
1.9.2.6
1.9.4.1
Other
VER_1_7_4_3
VER_1_9_2_1
VER_1_9_2_2
VER_1_9_2_3
VER_1_9_2_4
VER_1_9_2_6
VER_1_9_3_2
VER_1_9_3_3
VER_1_9_3_5
VER_1_9_3_7
VER_1_9_3_8
VER_1_9_3_9
VER_1_9_4_1
VER_1_9_4_2
VER_1_9_4_3
VER_1_9_4_4
VER_1_9_4_5
VER_1_9_4_6
VER_1_9_4_7
VER_1_9_4_8
VER_1_9_4_9
VER_1_9_5_0
VER_1_9_5_1
VER_1_9_5_2
VER_1_9_5_3
VER_1_9_5_4
VER_1_9_5_5

Database specific

unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "1.9.3.6"
            }
        ]
    }
]
vanir_signatures 
[
    {
        "signature_type": "Line",
        "signature_version": "v1",
        "target": {
            "file": "robocode.core/src/main/java/net/sf/robocode/cachecleaner/CacheCleaner.java"
        },
        "id": "CVE-2025-14306-4a1b2af8",
        "deprecated": false,
        "source": "https://github.com/robo-code/robocode/commit/26b6ba8ed5b2a11a646ce2d5da8d42cd53574b1f",
        "digest": {
            "line_hashes": [
                "226468790046738820297209387725700463534",
                "278213392381199124473267123690496341508",
                "94401848161336938752088764228931195360",
                "289881945361656010070801236118168939882",
                "320929655408041803210278498355928160653",
                "213156195777829478378052352458344525701",
                "299503053415901066562427901183244383859",
                "163807451800026426274867000900850969484",
                "200405071256124958203019157225568354642",
                "283896430153423768197108066559892385274",
                "156445461059679079838519380527212851430",
                "277032414359885920053722779646467036817",
                "77940986289765586368443957907839618822",
                "108587633537507210242609878158511307392"
            ],
            "threshold": 0.9
        }
    },
    {
        "signature_type": "Function",
        "signature_version": "v1",
        "target": {
            "file": "robocode.core/src/main/java/net/sf/robocode/cachecleaner/CacheCleaner.java",
            "function": "recursivelyDelete"
        },
        "id": "CVE-2025-14306-73f0b6f5",
        "deprecated": false,
        "source": "https://github.com/robo-code/robocode/commit/26b6ba8ed5b2a11a646ce2d5da8d42cd53574b1f",
        "digest": {
            "function_hash": "168358770647349588309025057651120915164",
            "length": 305.0
        }
    }
]
source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-14306.json"