CVE-2025-61666
Published: 02 October 2025
Summary
CVE-2025-61666 is a high-severity Path Traversal (CWE-22) vulnerability in Projectblack (inferred from references). Its CVSS base score is 8.7 (High).
Operationally, ranked in the top 19.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Traccar, an open source GPS tracking system, contains a path traversal vulnerability (CWE-22) that enables unauthenticated local file inclusion. Default installations on Windows in versions 6.1 through 6.8.1 are affected because the web override feature is enabled by default, while versions 5.8 through 6.0 are affected only when the configuration explicitly sets <entry key='web.override'>./override</entry>. The flaw resides in DefaultOverrideServlet and permits reading arbitrary files on the filesystem, including the Traccar configuration file that may contain passwords.
An unauthenticated remote attacker can supply crafted paths to the override servlet and retrieve sensitive files without authentication or user interaction. Successful exploitation yields disclosure of configuration secrets or other filesystem contents but does not permit modification or service disruption. The CVSS 4.0 score of 8.7 reflects the network-accessible, low-complexity nature of the attack.
The official advisory GHSA-hprc-rph8-fj87 and the Traccar 6.9.0 release remove the vulnerable servlet code entirely. Administrators are advised to upgrade to 6.9.0 or later; non-default installations should also verify that the web.override setting is absent or disabled. The associated EPSS score rose from a low baseline to a peak of 0.0324, indicating increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-33211
Vulnerability details
Traccar is an open source GPS tracking system. Default installs of Traccar on Windows between versions 6.1- 6.8.1 and non default installs between versions 5.8 - 6.0 are vulnerable to unauthenticated local file inclusion attacks which can lead to leakage…
more
of passwords or any file on the file system including the Traccar configuration file. Versions 5.8 - 6.0 are only vulnerable if <entry key='web.override'>./override</entry> is set in the configuration file. Versions 6.1 - 6.8.1 are vulnerable by default as the web override is enabled by default. The vulnerable code is removed in version 6.9.0.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.