Published on 2025-12-29

CVSS · MEDIUM · 6.8 ⁄10 · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
Scoring scenario: GENERAL
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: CHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE

Rapid7 Velociraptor versions before 0.75.6 contain a directory traversal issue on Linux servers that allows a rogue client to upload a file which is written outside the datastore directory. Velociraptor is normally only allowed to write in the datastore directory. The issue occurs due to insufficient sanitization of directory names which end with a ".", only encoding the final "." as "%2E".

Although files can be written to incorrect locations, the containing directory must end with "%2E". This limits the impact of this vulnerability, and prevents it from overwriting critical files.

Required configuration for exposure:

This vulnerability only occurs on Velociraptor servers running on Linux (which is the common and recommended configuration). Velociraptor servers running on Windows are not affected.

Problem:

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-22

Impact:

CAPEC-23 File Content Injection CAPEC-23

Product Status:

ProductAffected
Rapid7 Velociraptor on Linux
source repo
Default status is unaffected		before 0.75.6

Credits:

We thank @_chebuya for identifying and reporting this issue