CVE-2025-14728

MEDIUM

6.8

Descricao

Rapid7 Velociraptor versions before 0.75.6 contain a directory traversal issue on Linux servers that allows a rogue client to upload a file which is written outside the datastore directory. Velociraptor is normally only allowed to write in the datastore directory. The issue occurs due to insufficient sanitization of directory names which end with a ".", only encoding the final "." AS "%2E". Although files can be written to incorrect locations, the containing directory must end with "%2E". This limits the impact of this vulnerability, and prevents it from overwriting critical files.

Detalhes CVE

Pontuacao CVSS v3.16.8

SeveridadeMEDIUM

Vetor CVSSCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

Vetor de ataqueNETWORK

ComplexidadeHIGH

Privilegios necessariosNONE

Interacao do usuarioNONE

Publicado12/29/2025

Ultima modificacao2/20/2026

Fontenvd

Avistamentos honeypot0

Produtos afetados

linux:linux_kernelrapid7:velociraptor

Fraquezas (CWE)

CWE-22

Referencias

https://docs.velociraptor.app/announcements/advisories/cve-2025-14728/(cve@rapid7.com)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.