CVE-2025-14728 MEDIUM

CVE-2025-14728: Rapid7 Velociraptor Directory Traversal Vulnerability

Vendor Rapid7
Product Velociraptor
Weakness CWE-22 · Path traversal
Published December 29, 2025
Last update December 30, 2025

CVSS base score

6.8/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

What the vulnerability does

01Description

Rapid7 Velociraptor versions before 0.75.6 contain a directory traversal issue on Linux servers that allows a rogue client to upload a file which is written outside the datastore directory. Velociraptor is normally only allowed to write in the datastore directory. The issue occurs due to insufficient sanitization of directory names which end with a ".", only encoding the final "." AS "%2E". Although files can be written to incorrect locations, the containing directory must end with "%2E". This limits the impact of this vulnerability, and prevents it from overwriting critical files.

Key dates

02Disclosure timeline

December 29, 2025 CVE published
December 30, 2025 Record updated