Listen to this Post
The directory traversal vulnerability in Robocode version 1.9.3.6 resides within the CacheCleaner component’s recursivelyDelete method. This method is designed to delete files and directories within a specified cache location but fails to validate or sanitize input file paths. Attackers can exploit this by submitting crafted paths containing directory traversal sequences such as “../”. When the method processes these paths, it does not restrict operations to the intended cache directory, allowing traversal outside the designated area. This enables arbitrary file deletion on the host system where Robocode is running. The vulnerability stems from the absence of path canonicalization or checks that prevent relative path escapes. User-controlled input that influences the file path parameter in recursivelyDelete can manipulate the file system operations. For instance, an input like “../../etc/passwd” could lead to deletion of critical system files. The method likely uses Java’s File API without resolving paths to their absolute forms or verifying they remain within the cache boundary. This oversight makes the application susceptible to attacks that compromise system integrity and availability. Exploitation may occur through network-accessible interfaces that invoke cache cleaning functionality. The severity is critical due to the potential for widespread file deletion, which can cause denial of service, data loss, or further system exploitation. Robocode’s cache management features might be exposed to users, increasing attack surface. The vulnerability was publicly disclosed via the National Vulnerability Database and GitHub Advisory Database on December 9, 2025. Developers must implement proper input validation, path normalization, and confine file operations to intended directories. Until a patch is released, users should limit access to Robocode’s cache cleaning capabilities and monitor for unauthorized activities.
Platform: Robocode
Version: 1.9.3.6
Vulnerability: Directory Traversal
Severity: Critical
date: Dec 9, 2025
Prediction: Patch expected soon
What Undercode Say:
Analytics:
Bash command: `robocode –version`
Bash command: `find / -name robocode 2>/dev/null`
Code snippet:
// Vulnerable recursivelyDelete in CacheCleaner
public void recursivelyDelete(String path) {
File target = new File(path);
if (target.isDirectory()) {
for (File sub : target.listFiles()) {
recursivelyDelete(sub.getPath());
}
}
target.delete();
}
how Exploit:
Craft input path with “../” sequences to escape cache directory and delete arbitrary files via recursivelyDelete method invocation.
Protection from this CVE:
Apply vendor patch. Restrict access to CacheCleaner. Validate and sanitize file paths.
Impact:
Arbitrary file deletion. System compromise. Denial of service.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
