Traccar is an open source GPS tracking system. Default installs of Traccar on Windows between versions 6.1- 6.8.1 and non default installs between versions 5.8 - 6.0 are vulnerable to unauthenticated local file inclusion attacks which can lead to leakage of passwords or any file on the file system including the Traccar configuration file. Versions 5.8 - 6.0 are only vulnerable if <entry key='web.override'>./override</entry> is set in the configuration file. Versions 6.1 - 6.8.1 are vulnerable by default as the web override is enabled by default. The vulnerable code is removed in version 6.9.0.
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Fri, 03 Oct 2025 14:30:00 +0000

Type Values Removed Values Added
References

Fri, 03 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 03 Oct 2025 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft
Microsoft windows
Traccar
Traccar traccar
Vendors & Products Microsoft
Microsoft windows
Traccar
Traccar traccar

Thu, 02 Oct 2025 21:30:00 +0000

Type Values Removed Values Added
Description Traccar is an open source GPS tracking system. Default installs of Traccar on Windows between versions 6.1- 6.8.1 and non default installs between versions 5.8 - 6.0 are vulnerable to unauthenticated local file inclusion attacks which can lead to leakage of passwords or any file on the file system including the Traccar configuration file. Versions 5.8 - 6.0 are only vulnerable if <entry key='web.override'>./override</entry> is set in the configuration file. Versions 6.1 - 6.8.1 are vulnerable by default as the web override is enabled by default. The vulnerable code is removed in version 6.9.0.
Title Traccar Unauthenticated Local File Inclusion on Windows - Leakage of Traccar Config File
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2025-10-03T14:15:50.344Z

Reserved: 2025-09-29T20:25:16.179Z

Link: CVE-2025-61666

cve-icon Vulnrichment

Updated: 2025-10-03T13:42:53.691Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-10-02T22:15:38.240

Modified: 2025-10-06T14:57:05.000

Link: CVE-2025-61666

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-10-03T08:22:33Z