Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAMqWyhi=xW2sq2+Hb2aJ=ta-zfi_Zay6CztQ9mvDqgjbKr1HpQ@mail.gmail.com>
Date: Sat, 9 Aug 2025 13:46:19 -0700
From: lunbun <lunbun021@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-55188: 7-Zip: Arbitrary file write on extraction, may lead
 to code execution

CVE-2025-55188: 7-Zip: Arbitrary file write on extraction, may lead to code
execution

Affected versions: 7-Zip prior to 25.01
Impact: Arbitrary file write, may lead to code execution
Fix: Update to 7-Zip 25.01
CVE ID: CVE-2025-55188
CVSS: 2.7 [AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N] (please see the note at the
end
of this post, however!)

## Summary

Extracting a maliciously-crafted archive with 7-Zip prior to 25.01 allows
for
arbitrary file write, which may lead to arbitrary code execution.

I recommend users to update to 7-Zip 25.01, which contains a fix for this.

## Attack Vector

The conditions necessary for this vulnerability to be exploited are:
1. User is on Linux
2. 7-Zip version prior to 25.01
3. User is extracting an archive of an archive format for which 7-Zip
supports
   symbolic links (e.g. .zip, .tar, .7z, .rar, etc...)

This attack may also be done on Windows, but additional conditions are
necessary. On Windows, the 7-Zip extraction process must have the capability
to create symbolic links (e.g. extract with Administrator privileges,
Windows
is in Developer Mode, etc...).

## Details

7-Zip before 25.01 does not always properly handle symbolic links during
extraction. Prior to 25.01, it was possible for a maliciously-crafted
archive
to create an unsafe symbolic link. 7-Zip follows symbolic links when
extracting, so this leads to arbitrary file write.

An attacker may leverage this arbitrary file write to achieve unauthorized
access/code execution, such as by overwriting a user's SSH keys or .bashrc
file
[1]. In one extraction, an attacker may attempt several times to leverage
this
vulnerability to write to sensitive files.

## Note about the CVE

As of me writing this, if you look up CVE-2025-55188, you will see that
online
references depict it as relatively benign (e.g. no mention of arbitrary file
write, CVSS score of 2.7). I don't know why, but MITRE has, in my opinion,
severely underreported this vulnerability as compared to what I submitted on
the CVE form. I have submitted a request for MITRE to reevaluate the CVSS
score, but I suspect they will not see it for a few days. Because of this,
if
any package repository maintainer needs additional proof that the
assertions I
made in this post are true, I am happy to privately provide a
proof-of-concept.

## Credits

lunbun (lunbun021@...il.com, https://github.com/lunbun), reporter.
Igor Pavlov (7-Zip maintainer), especially for responding quickly and fixing
this quickly.

## References

[1]
https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html

Content of type "text/html" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.