CRITICAL🇵🇱 Wersja polska

CVE-2025-14306

CVSS 10.0v4.0pub. 2025-12-09upd. 2026-01-28

A directory traversal vulnerability exists in the CacheCleaner component of Robocode version 1.9.3.6. The recursivelyDelete method fails to properly sanitize file paths, allowing attackers to traverse directories and delete arbitrary files on the system. This vulnerability can be exploited by submitting specially crafted inputs that manipulate the file path, leading to potential unauthorized file deletions. https://robo-code.blogspot.com/

🤖 AI Analysis
How it works

The recursivelyDelete method in the CacheCleaner component does not perform proper sanitization of file paths (CWE-22). An attacker can provide specially crafted input containing directory traversal sequences (e.g., '../'), which cause the process to exit the intended working directory. As a result, the method executes the deletion operation on files indicated by the manipulated path, regardless of their location in the file system.

Impact

An attacker can unauthorized delete arbitrary files available in the context of the application's permissions, which may lead to data loss, system destabilization, or disruption of other services.

Mitigation & patch

Patches available from the vendor should be applied in accordance with references — a fix is available in the Robocode project GitHub repository (pull request #67, commit 26b6ba8ed5b2a11a646ce2d5da8d42cd53574b1f).

Who is affected

Robocode version 1.9.3.6

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:D/RE:M/U:Red
  • Robocode

    APP
    Robocode
    1.9.3.6
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Path Traversal
CWE
References

Related vulnerabilities

CVE-2025-14307CRITICAL9.3PL ✓ten sam produkt

Robocode: podatność race condition przy tworzeniu plików tymczasowych (RCE)

CVE-2025-14308CRITICAL10.0PL ✓ten sam produkt

Integer overflow w klasie Buffer Robocode umożliwiający RCE

CVE-2019-10648CRITICAL9.8ten sam produkt

Robocode through 1.9.3.5 allows remote attackers to cause external service interaction (DNS), as demonstrated ...

CVE-2008-2078HIGH7.5ten sam produkt

Robocode before 1.6.0 allows user-assisted remote attackers to "access the internals of the Robocode game" via...

CVE-2007-6382MEDIUM6.8ten sam produkt

The Event Dispatch Thread in Robocode before 1.5.1 allows remote attackers to execute arbitrary Java code by u...