Login Sign Up

CVE-2025-14306

9.1 CRITICAL

📋 TL;DR

A directory traversal vulnerability in Robocode's CacheCleaner component allows attackers to delete arbitrary files on the system by manipulating file paths. This affects Robocode version 1.9.3.6 users who have the vulnerable component enabled. Attackers can exploit this to cause data loss or system disruption.

💻 Affected Systems

Products:
  • Robocode
Versions: 1.9.3.6
Operating Systems: All platforms running Robocode
Default Config Vulnerable: ⚠️ Yes
Notes: The CacheCleaner component must be accessible/triggered for exploitation.

📦 What is this software?

Robocode by Robocode

View all CVEs affecting Robocode →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through deletion of critical system files, leading to OS corruption, data loss, or service disruption.

🟠

Likely Case

Unauthorized deletion of application files, user data, or configuration files causing application failure or data loss.

🟢

If Mitigated

Limited impact to non-critical files if proper file permissions and isolation are implemented.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires ability to trigger CacheCleaner with malicious input; no authentication bypass needed if component is exposed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 26b6ba8ed5b2a11a646ce2d5da8d42cd53574b1f

Vendor Advisory: https://robo-code.blogspot.com/

Restart Required: Yes

Instructions:

1. Update Robocode to version containing commit 26b6ba8ed5b2a11a646ce2d5da8d42cd53574b1f. 2. Restart the application. 3. Verify the fix by checking the version.

🔧 Temporary Workarounds

Disable CacheCleaner Component

all

Temporarily disable or restrict access to the CacheCleaner component to prevent exploitation.

Modify configuration to disable CacheCleaner or remove its execution permissions.

Implement File Path Validation

all

Add input validation to sanitize file paths before processing.

Implement path canonicalization and validation in application code.

🧯 If You Can't Patch

  • Restrict file system permissions for the Robocode process to limit deletion capabilities.
  • Implement network segmentation to isolate Robocode instances from critical systems.

🔍 How to Verify

Check if Vulnerable:

Check if Robocode version is 1.9.3.6 and CacheCleaner component is present/active.

Check Version:

Check Robocode documentation or application properties for version information.

Verify Fix Applied:

Verify the application version includes commit 26b6ba8ed5b2a11a646ce2d5da8d42cd53574b1f or later.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file deletion patterns in system or application logs
  • Access to paths outside expected cache directories

Network Indicators:

  • Unexpected requests to CacheCleaner endpoints with path traversal patterns

SIEM Query:

Search for file deletion events originating from Robocode process with paths containing '../' or similar traversal sequences.

📊 Metadata

CVE ID: CVE-2025-14306
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
CWE: CWE-22
EPSS Score: 0.56% exploit probability (67.7th percentile)
Published: December 9, 2025
Last Updated: January 28, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14306, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)