PT-2025-40429 · Traccar · Traccar
Eddiez9
+1
·
Published
2025-10-02
·
Updated
2025-12-03
·
CVE-2025-61666
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N |
Name of the Vulnerable Software and Affected Versions
Traccar versions 5.8 through 6.0
Traccar versions 6.1 through 6.8.1
Description
Traccar, an open source GPS tracking system, has a flaw that allows for unauthenticated local file inclusion attacks. This can result in the disclosure of passwords or any file on the file system, including the Traccar configuration file. Versions 5.8 through 6.0 are susceptible only if the configuration file includes
<entry key='web.override'>./override</entry>. Versions 6.1 through 6.8.1 are vulnerable by default due to the web override being enabled.Recommendations
Update to version 6.9.0 or later.
For versions 5.8 through 6.0, ensure the
<entry key='web.override'>./override</entry> setting is removed from the configuration file.Exploit
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Traccar