プラットフォーム
java
コンポーネント
net.sf.robocode:robocode.core
修正版
1.9.4
1.9.5.6
CVE-2025-14306 represents a critical directory traversal vulnerability discovered in Robocode Core, specifically within the CacheCleaner component. This flaw allows attackers to potentially delete arbitrary files on the system by manipulating file paths. The vulnerability affects versions of Robocode Core up to and including 1.9.5.5, and a fix is available in version 1.9.5.6.
The impact of this vulnerability is significant. An attacker who successfully exploits CVE-2025-14306 can gain unauthorized access to delete files on the system where Robocode Core is running. This could lead to data loss, system instability, or even denial of service. The recursiveDelete method's failure to properly sanitize file paths is the root cause, enabling attackers to bypass intended security controls. The potential for widespread damage depends on the permissions granted to the Robocode process and the sensitivity of the files it has access to. While Robocode is primarily a programming education tool, its use in automated trading or other sensitive contexts could amplify the impact significantly.
CVE-2025-14306 was published on 2025-12-09. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept code is not yet available, but the vulnerability's nature suggests it could be relatively easy to exploit once a PoC is developed. The CVSS score of 9.5 indicates a critical severity, warranting immediate attention.
Robocode users, particularly those utilizing older versions (≤1.9.5.5), are at risk. This includes educational institutions using Robocode for programming instruction, as well as individuals or organizations using Robocode for automated trading or other applications where file system access is required. Shared hosting environments where Robocode is installed could also be affected if the underlying system is vulnerable.
• java: Monitor Robocode process for unusual file deletion activity using system monitoring tools. • java: Examine Robocode logs for suspicious file path manipulation attempts. • generic web: If Robocode is exposed via a web interface, monitor access logs for requests containing unusual file path parameters. • generic web: Check for unexpected files appearing in the Robocode cache directory.
Public Disclosure
エクスプロイト状況
EPSS
0.58% (69% パーセンタイル)
CISA SSVC
The primary mitigation for CVE-2025-14306 is to upgrade Robocode Core to version 1.9.5.6 or later. If upgrading is not immediately feasible, consider restricting the permissions of the Robocode process to minimize the potential damage from unauthorized file deletions. While a direct WAF rule is unlikely to be effective due to the nature of the vulnerability, monitoring file system activity for unexpected deletions originating from the Robocode process can provide an early warning. There are no specific Sigma or YARA rules readily available for this vulnerability, but monitoring for unusual file deletion patterns within the Robocode directory is recommended.
Actualizar Robocode a una versión posterior a 1.9.3.6 que corrija la vulnerabilidad de recorrido de directorios. Consultar el repositorio del proyecto o el sitio web oficial para obtener la última versión y las instrucciones de actualización.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-14306 is a critical directory traversal vulnerability in Robocode Core versions up to 1.9.5.5, allowing attackers to delete files.
You are affected if you are using Robocode Core version 1.9.5.5 or earlier. Upgrade to 1.9.5.6 to resolve the issue.
Upgrade Robocode Core to version 1.9.5.6 or later. Restrict Robocode process permissions as a temporary workaround.
There is currently no evidence of active exploitation, but the vulnerability's severity warrants immediate action.
Refer to the Robocode project's official website and release notes for the latest advisory regarding CVE-2025-14306.
pom.xml ファイルをアップロードすると、影響の有無を即座にお知らせします。