CVE-2025-14728

Name of the Vulnerable Software and Affected Versions Rapid7 Velociraptor versions before 0.75.6

Description Rapid7 Velociraptor versions prior to 0.75.6 contain a directory traversal issue on Linux servers. This allows a malicious client to upload a file that is written outside the intended datastore directory. The issue stems from inadequate sanitization of directory names ending with a ".", where only the final "." is encoded as "%2E". While files can be written to incorrect locations, the containing directory must end with "%2E", limiting the potential impact and preventing overwriting of critical files.

Recommendations Rapid7 Velociraptor versions prior to 0.75.6 should be updated to version 0.75.6 or later.