CVE-2025-66687
Published: 16 March 2026
Summary
CVE-2025-66687 is a high-severity Path Traversal (CWE-22) vulnerability in Jeroscope (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 26.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-66687 is a Directory Traversal vulnerability (CWE-22) in Doom Launcher 3.8.1.0, stemming from missing file path validation during the extraction of game files. Published on 2026-03-16, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting its high confidentiality impact potential.
The vulnerability can be exploited by any remote, unauthenticated attacker requiring no user interaction and low attack complexity. Exploitation enables arbitrary file reads on the affected system, allowing disclosure of sensitive data without impacting integrity or availability.
Advisories providing mitigation guidance are available at https://github.com/nstlaurent/DoomLauncher/issues/369 and https://jeroscope.com/advisories/2025/jero-2025-014/.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208755
Vulnerability details
Doom Launcher 3.8.1.0 is vulnerable to Directory Traversal due to missing file path validation during the extraction of game files
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directory traversal enables remote arbitrary file reads from the local system (T1005) via exploitation of a network-accessible application (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the missing file path validation during game file extraction, preventing directory traversal exploits.
Requires identification, reporting, and correction of the specific directory traversal flaw in Doom Launcher 3.8.1.0.
Enforces access control policies to limit file reads to authorized directories, mitigating successful traversal attempts.