Unauthenticated Local File Inclusion in Traccar GPS Tracking System
CVE-2025-61666

8.7HIGH

Key Information:

Vendor: Traccar
Status: Traccar
Vendor: CVE Published:; 2 October 2025

What is CVE-2025-61666?

Traccar, an open-source GPS tracking system, is susceptible to unauthenticated local file inclusion vulnerabilities present in specific versions. Default installations of Traccar on Windows between versions 6.1 and 6.8.1 are vulnerable, allowing attackers to potentially access sensitive files, including the configuration file, leading to password leakage. Non-default installations between versions 5.8 and 6.0 are also affected, but only if a specific configuration key is enabled. The issue is resolved in version 6.9.0, making it imperative for users to update to ensure security.

Affected Version(s)

traccar >= 5.8, < 6.9.0

References

https://github.com/traccar/traccar/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/traccar/traccar/blob/v6.8.1/src/main/j...

x_refsource_MISC

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 2, 2025
Vulnerability Reserved
Sep 29, 2025

JSON