Description

Rapid7 Velociraptor versions before 0.75.6 contain a directory traversal issue on Linux servers that allows a rogue client to upload a file which is written outside the datastore directory. Velociraptor is normally only allowed to write in the datastore directory. The issue occurs due to insufficient sanitization of directory names which end with a ".", only encoding the final "." AS "%2E". Although files can be written to incorrect locations, the containing directory must end with "%2E". This limits the impact of this vulnerability, and prevents it from overwriting critical files.

INFO

Published Date :

2025-12-29T19:04:27.820Z

Last Modified :

2025-12-30T22:26:47.316Z

Source :

rapid7
AFFECTED PRODUCTS

The following products are affected by CVE-2025-14728 vulnerability.

Vendors Products
Linux
  • Linux Kernel
Rapid7
  • Velociraptor
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-14728.

URL Resource
https://docs.velociraptor.app/announcements/advisories/cve-2025-14728/ cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact