CVE-2025-61666 Overview
Traccar is an open source GPS tracking platform deployed across fleet management, logistics, and asset tracking environments. CVE-2025-61666 is an unauthenticated local file inclusion (LFI) vulnerability affecting Traccar installations on Windows. Default installs of versions 6.1 through 6.8.1 are vulnerable out of the box because the web override servlet is enabled by default. Non-default installs of versions 5.8 through 6.0 are vulnerable only when <entry key='web.override'>./override</entry> is set in the configuration file. Attackers can read arbitrary files from the host file system, including the Traccar configuration file and credentials. The vulnerable code was removed in version 6.9.0.
Critical Impact
Unauthenticated remote attackers can read arbitrary files on Windows hosts running affected Traccar versions, exposing configuration files, password material, and sensitive system data.
Affected Products
- Traccar 6.1 – 6.8.1 on Windows (default installs vulnerable)
- Traccar 5.8 – 6.0 on Windows (vulnerable when web.override is enabled)
- Traccar deployments using the DefaultOverrideServlet component
Discovery Timeline
- 2025-10-02 - CVE-2025-61666 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-61666
Vulnerability Analysis
The flaw resides in Traccar's DefaultOverrideServlet, which serves files from a local override directory to support web customization. On Windows, path handling in the underlying Jetty addPath routine allows traversal sequences and absolute path components to escape the intended override root. An unauthenticated HTTP request can therefore reference files outside the override directory and retrieve their contents. The issue is classified as a path traversal weakness [CWE-22] and is exploitable purely over the network without user interaction. Because Traccar typically runs with elevated privileges on Windows, the attacker can read sensitive operating system files in addition to the Traccar configuration, which often contains database credentials and API secrets.
Root Cause
The DefaultOverrideServlet resolves request paths through Jetty's Resource.addPath() without sufficient normalization on Windows. Backslashes, drive letters, and .. segments are not consistently rejected, allowing the servlet to map external file paths to HTTP responses. The override feature is enabled by default starting in version 6.1, which expanded the exposure surface significantly compared with earlier releases.
Attack Vector
An unauthenticated attacker sends crafted HTTP requests to the override endpoint with traversal payloads designed to break out of the override root. The server returns the contents of the targeted file. Exploitation requires only network reachability to the Traccar web interface. See the GitHub Security Advisory, the vulnerable servlet source, and the Project Black analysis of Jetty addPath LFI for technical details.
Detection Methods for CVE-2025-61666
Indicators of Compromise
- HTTP requests to Traccar override paths containing ..\, ../, or absolute Windows paths such as C:\
- Successful 200 responses from override endpoints returning non-web content types (configuration, ini, xml, log files)
- Outbound retrieval of traccar.xml or Windows system files via the Traccar web service
- Repeated probing of override URIs from a single source address without prior authentication
Detection Strategies
- Inspect Traccar and reverse proxy access logs for traversal sequences targeting the override servlet
- Alert on responses from the Traccar web service that include strings from traccar.xml, such as database connection entries or web.override
- Correlate unauthenticated requests to override endpoints with anomalous response sizes or MIME types
- Run authenticated version checks against Traccar instances to identify hosts on 6.1 through 6.8.1
Monitoring Recommendations
- Forward Traccar Jetty access logs to a central log platform with retention sufficient for incident review
- Add web application firewall rules that block traversal patterns on Traccar paths
- Monitor file integrity on the Traccar configuration directory for unexpected read access
- Track network connections from the Traccar host to unusual external destinations following suspicious requests
How to Mitigate CVE-2025-61666
Immediate Actions Required
- Upgrade Traccar to version 6.9.0 or later, where the vulnerable override servlet code is removed
- Restrict network access to the Traccar web interface to trusted administrative networks until patched
- Rotate any credentials stored in traccar.xml, including database passwords and SMTP or API secrets
- Audit web logs for prior exploitation attempts against override endpoints
Patch Information
The Traccar maintainers removed the vulnerable code in version 6.9.0. Administrators on 6.1–6.8.1 should upgrade immediately. Administrators on 5.8–6.0 should upgrade or remove the <entry key='web.override'>./override</entry> line from the configuration file. Refer to the Traccar security advisory GHSA-hprc-rph8-fj87 for full guidance.
Workarounds
- On versions 5.8–6.0, remove or comment out the web.override configuration entry to disable the vulnerable servlet
- Place Traccar behind a reverse proxy that rejects requests containing .., backslashes, or absolute path tokens
- Run the Traccar Windows service under a least-privilege account to limit the files an attacker can read
- Restrict inbound access to the Traccar port with host-based or perimeter firewall rules
# Disable the vulnerable web override on Traccar 5.8 - 6.0 (traccar.xml)
# Remove or comment out the following line, then restart the service:
# <entry key='web.override'>./override</entry>
# Windows service restart
net stop traccar
net start traccar
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
