CVE-2025-14728 Velociraptor directory traversal vulnerability

Published on 2025-12-29

CVSS · MEDIUM · 6.8 ⁄10 · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
Scoring scenario: GENERAL
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: CHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE

Rapid7 Velociraptor versions before 0.75.6 contain a directory traversal issue on Linux servers that allows a rogue client to upload a file which is written outside the datastore directory. Velociraptor is normally only allowed to write in the datastore directory. The issue occurs due to insufficient sanitization of directory names which end with a ".", only encoding the final "." as "%2E".

Although files can be written to incorrect locations, the containing directory must end with "%2E". This limits the impact of this vulnerability, and prevents it from overwriting critical files.

Required configuration for exposure:

This vulnerability only occurs on Velociraptor servers running on Linux (which is the common and recommended configuration). Velociraptor servers running on Windows are not affected.

Problem:

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-22

Impact:

CAPEC-23 File Content Injection CAPEC-23

Product Status:

ProductAffected
Rapid7 Velociraptor on Linux
source repo
Default status is unaffected		before 0.75.6

Credits:

We thank @_chebuya for identifying and reporting this issue

Further details

When Velociraptor receives an uploaded file from the client, the server writes the file into the client’s part of the datastore directory. The path under which the file is written is made to resemble the original path on the client as much as possible, except that certain characters are escaped.

For example, if the path contains a “:” character (e.g. C:\Windows) this is escaped since this character is not representable on a Windows filesystem. Additionally, velociraptor escapes directory traversal sequences like ...

On Windows, filenames that end with a “.” are not representable, with windows silently dropping the final “.” from the filename. This causes corruption when the server runs on Windows .

In the specific case of a path component that ends with a “.”, Velociraptor escapes the final “.” to “%2E”, but neglects to escape other directory traversal characters in that path component. This results in some directory traversal characters being propagated into the path itself.

The vulnerability allows a rogue client to upload files to unintended directories on the server, as long as the containing directory name ends with a “%2E”.

On Windows, Velociraptor uses raw device paths which do not support directory traversal at all. Therefore, this vulnerability is not exploitable on Windows. (e.g. \\?\C:\datastore\clients\C.1234\..\test.txt is not a valid path)

Recommendation

This vulnerability requires upgrading the server as described in Server Upgrades .

Older versions are vulnerable and should be upgraded immediately.