Critical severityNVD Advisory· Published Dec 9, 2025· Updated Jan 28, 2026

Directory Traversal in Robocode's CacheCleaner Component

CVE-2025-14306

Description

A directory traversal vulnerability exists in the CacheCleaner component of Robocode version 1.9.3.6. The recursivelyDelete method fails to properly sanitize file paths, allowing attackers to traverse directories and delete arbitrary files on the system. This vulnerability can be exploited by submitting specially crafted inputs that manipulate the file path, leading to potential unauthorized file deletions. https://robo-code.blogspot.com/

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
net.sf.robocode:robocode.coreMaven	< 1.9.5.6	1.9.5.6

Affected products

Robocode Project/Robocodev5
Range: 1.9.3.6

Patches

26b6ba8ed5b2

Merge pull request #67

https://github.com/robo-code/robocodeLim Sim YeeMay 13, 2025via ghsa

commit

1 file changed · +26 −14

robocode.core/src/main/java/net/sf/robocode/cachecleaner/CacheCleaner.java+26 −14 modified

@@ -56,18 +56,30 @@ private static void deleteFile(String filename) {
 		}
 	}
 
-	private static void recursivelyDelete(File file) throws IOException {
-		if (file.exists()) {
-			if (file.isDirectory()) {
-				final File[] files = file.listFiles();
-
-				for (File f : files) {
-					recursivelyDelete(f);
-				}
-			}
-			if (!file.delete()) {
-				throw new IOException("Failed deleting file: " + file.getPath());
-			}
-		}
+	private static void recursivelyDelete(File file, File base) throws IOException {
+	    if (!file.exists()) {
+	        return;
+	    }
+	    
+	    // Security check to prevent directory traversal attacks
+	    if (!(file.getCanonicalFile().toPath().startsWith(base.getCanonicalFile().toPath()))) {
+	        throw new IOException("Security violation: Attempting to delete a file outside the allowed base directory: "
+	                + file.getCanonicalPath());
+	    }
+	
+	    if (file.isDirectory()) {
+	        final File[] files = file.listFiles();
+	        
+	        // Null check for file listing
+	        if (files != null) {
+	            for (File f : files) {
+	                recursivelyDelete(f, base);
+	            }
+	        }
+	    }
+	    
+	    if (!file.delete()) {
+	        throw new IOException("Failed deleting file: " + file.getPath());
+	    }
+	}
 	}
-}

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-j8r2-47rx-qhw4ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-14306ghsaADVISORY
github.com/robo-code/robocode/commit/26b6ba8ed5b2a11a646ce2d5da8d42cd53574b1fghsaWEB
github.com/robo-code/robocode/pull/67ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000