Description

Traccar is an open source GPS tracking system. Default installs of Traccar on Windows between versions 6.1- 6.8.1 and non default installs between versions 5.8 - 6.0 are vulnerable to unauthenticated local file inclusion attacks which can lead to leakage of passwords or any file on the file system including the Traccar configuration file. Versions 5.8 - 6.0 are only vulnerable if <entry key='web.override'>./override</entry> is set in the configuration file. Versions 6.1 - 6.8.1 are vulnerable by default as the web override is enabled by default. The vulnerable code is removed in version 6.9.0.

INFO

Published Date :

2025-10-02T21:15:47.047Z

Last Modified :

2025-10-03T14:15:50.344Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-61666 vulnerability.

Vendors Products
Microsoft
  • Windows
Traccar
  • Traccar
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-61666.

URL Resource
https://github.com/traccar/traccar/blob/v6.8.1/src/main/java/org/traccar/web/DefaultOverrideServlet.java cve-icon cve-icon
https://github.com/traccar/traccar/security/advisories/GHSA-hprc-rph8-fj87 cve-icon cve-icon
https://projectblack.io/blog/jetty-addpath-lfi cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability