CVE-2025-55188: 7-Zip: Arbitrary file write on extraction, may lead to code execution
Affected versions: 7-Zip prior to 25.01 Impact: Arbitrary file write, may lead to code execution Fix: Update to 7-Zip 25.01 CVE ID: CVE-2025-55188 CVSS: 2.7 [AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N] (please see the note at the end of this post, however!) ## Summary Extracting a maliciously-crafted archive with 7-Zip prior to 25.01 allows for arbitrary file write, which may lead to arbitrary code execution. I recommend users to update to 7-Zip 25.01, which contains a fix for this. ## Attack Vector The conditions necessary for this vulnerability to be exploited are: 1. User is on Linux 2. 7-Zip version prior to 25.01 3. User is extracting an archive of an archive format for which 7-Zip supports symbolic links (e.g. .zip, .tar, .7z, .rar, etc...) This attack may also be done on Windows, but additional conditions are necessary. On Windows, the 7-Zip extraction process must have the capability to create symbolic links (e.g. extract with Administrator privileges, Windows is in Developer Mode, etc...). ## Details 7-Zip before 25.01 does not always properly handle symbolic links during extraction. Prior to 25.01, it was possible for a maliciously-crafted archive to create an unsafe symbolic link. 7-Zip follows symbolic links when extracting, so this leads to arbitrary file write. An attacker may leverage this arbitrary file write to achieve unauthorized access/code execution, such as by overwriting a user's SSH keys or .bashrc file [1]. In one extraction, an attacker may attempt several times to leverage this vulnerability to write to sensitive files. ## Note about the CVE As of me writing this, if you look up CVE-2025-55188, you will see that online references depict it as relatively benign (e.g. no mention of arbitrary file write, CVSS score of 2.7). I don't know why, but MITRE has, in my opinion, severely underreported this vulnerability as compared to what I submitted on the CVE form. I have submitted a request for MITRE to reevaluate the CVSS score, but I suspect they will not see it for a few days. Because of this, if any package repository maintainer needs additional proof that the assertions I made in this post are true, I am happy to privately provide a proof-of-concept. ## Credits lunbun (lunbun...@gmail.com, https://github.com/lunbun), reporter. Igor Pavlov (7-Zip maintainer), especially for responding quickly and fixing this quickly. ## References [1] https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html
