CVE-2025-61666
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-02

Last updated on: 2025-10-06

Assigner: GitHub, Inc.

Description
Traccar is an open source GPS tracking system. Default installs of Traccar on Windows between versions 6.1- 6.8.1 and non default installs between versions 5.8 - 6.0 are vulnerable to unauthenticated local file inclusion attacks which can lead to leakage of passwords or any file on the file system including the Traccar configuration file. Versions 5.8 - 6.0 are only vulnerable if <entry key='web.override'>./override</entry> is set in the configuration file. Versions 6.1 - 6.8.1 are vulnerable by default as the web override is enabled by default. The vulnerable code is removed in version 6.9.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-02
Last Modified
2025-10-06
Generated
2026-06-16
AI Q&A
2025-10-03
EPSS Evaluated
2026-06-15
NVD
CVE-2025-61666
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
traccar traccar 6.0
traccar traccar 5.8
traccar traccar 6.8.1
traccar traccar 6.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Traccar GPS tracking system versions 5.8 to 6.8.1. It allows unauthenticated local file inclusion attacks, meaning an attacker can access and read files on the system without authentication. This can lead to leakage of sensitive information such as passwords or the Traccar configuration file. The vulnerability exists by default in versions 6.1 to 6.8.1 and in versions 5.8 to 6.0 if a specific configuration setting is enabled. It was fixed in version 6.9.0.

Impact Analysis

The vulnerability can lead to unauthorized disclosure of sensitive information, including passwords and configuration files. This can compromise the security of the GPS tracking system and potentially allow attackers to gain further access or control over the system or data.

Mitigation Strategies

To mitigate this vulnerability, upgrade Traccar to version 6.9.0 or later where the vulnerable code has been removed. Additionally, for versions 5.8 - 6.0, ensure that the configuration entry <entry key='web.override'>./override</entry> is not set or disabled. For versions 6.1 - 6.8.1, avoid using default installations or upgrade as soon as possible.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61666. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart