CVE-2025-66687 identifies a directory traversal vulnerability in Doom Launcher version 3.8.1.0, a game management tool used to extract and launch game files. The vulnerability stems from the application's failure to properly validate file paths during the extraction process. Specifically, when extracting game files, the launcher does not sanitize or restrict file paths, allowing an attacker to craft malicious archive files containing path traversal sequences (e.g., '../') that cause files to be written outside the intended extraction directory. This can lead to unauthorized overwriting or disclosure of arbitrary files on the host system. The vulnerability is remotely exploitable without requiring any authentication or user interaction, as the launcher processes game files automatically. The CVSS v3.1 base score is 7.5, reflecting a high severity due to the network attack vector, low attack complexity, no privileges required, and no user interaction needed. The impact primarily affects confidentiality, as attackers can potentially read sensitive files by placing them in accessible locations or overwrite files to facilitate further attacks. No integrity or availability impact is directly indicated. No patches or official fixes have been published yet, and no known exploits have been observed in the wild. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), a common and critical security weakness in file handling. Organizations using Doom Launcher 3.8.1.0 should be aware of this risk and prepare to implement mitigations or updates once available.

The primary impact of CVE-2025-66687 is unauthorized disclosure of sensitive information due to directory traversal during file extraction. Attackers can exploit this vulnerability to write files outside the intended directory, potentially exposing configuration files, credentials, or other sensitive data stored on the system. This can lead to further compromise if attackers gain access to critical files or use the vulnerability as a foothold for additional attacks. Although the vulnerability does not directly affect system integrity or availability, the confidentiality breach can have severe consequences, especially in environments where sensitive user data or proprietary information is stored. Organizations relying on Doom Launcher for game deployment or management may face data leakage risks, reputational damage, and potential compliance violations. The ease of exploitation without authentication or user interaction increases the threat level, making automated attacks feasible. The absence of known exploits in the wild currently limits immediate widespread impact, but the vulnerability remains a significant risk until patched.

To mitigate CVE-2025-66687, organizations should implement the following specific measures: 1) Restrict file extraction paths by enforcing strict validation and sanitization of file names and paths before extraction, ensuring no directory traversal sequences are allowed. 2) Use application-level whitelisting to restrict which files and directories the Doom Launcher can access or modify. 3) Monitor file system changes in directories used by the launcher to detect suspicious activity or unauthorized file writes. 4) Isolate the launcher execution environment using sandboxing or containerization to limit the impact of potential exploitation. 5) Until an official patch is released, consider disabling automatic extraction features or using alternative tools for game file management. 6) Educate users and administrators about the risks of opening untrusted game files and encourage verification of file sources. 7) Regularly check for updates from the vendor and apply patches promptly once available. These targeted actions go beyond generic advice by focusing on controlling file path handling and limiting the attack surface specific to the launcher’s extraction process.