Directory Traversal Vulnerability in Rapid7 Velociraptor on Linux Servers
CVE-2025-14728

6.8MEDIUM

Key Information:

Vendor: Rapid7
Status: Velociraptor
Vendor: CVE Published:; 29 December 2025

What is CVE-2025-14728?

Rapid7 Velociraptor, specifically versions prior to 0.75.6, is exposed to a directory traversal vulnerability on Linux servers. This flaw allows unauthorized clients to upload files outside the designated datastore directory due to inadequate sanitization of directory names that conclude with a '.'. The only encoding applied is turning the final '.' into '%2E', which could lead to unintended file placements. While attackers can place files in incorrect directories, it is noteworthy that these directories must conclude with '%2E', which limits potential damage and protects critical system files.

Affected Version(s)

Velociraptor Linux 0 < 0.75.6

References

https://docs.velociraptor.app/announcements/advisories/cv...

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 29, 2025
Vulnerability Reserved
Dec 15, 2025

Credit

We thank @_chebuya for identifying and reporting this issue.

CVE-2025-14728 Data

JSON