Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20251016230108.GA18468@openwall.com>
Date: Fri, 17 Oct 2025 01:01:08 +0200
From: Solar Designer <solar@...nwall.com>
To: lunbun <lunbun021@...il.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE-2025-55188: 7-Zip: Arbitrary file write on extraction, may lead to code execution

Hi,

It's another case where I was hoping someone else would reply, but since
no one did, I do.

On Sun, Oct 12, 2025 at 03:59:27PM -0700, lunbun wrote:
> Does anyone know how might I get the CVSS score of this vulnerability
> (CVE-2025-55188) increased?

CVSS scores don't exist on their own - they're computed from CVSS
vectors.  So you need to suggest and justify a certain CVSS vector.
Please refer to CVSS specification documents and examples from FIRST:

https://www.first.org/cvss/v3-1/

> I recently saw an advisory for CVE-2025-11001, a very similar
> arbitrary file write in 7-Zip due to symbolic links
> (https://www.zerodayinitiative.com/advisories/ZDI-25-949/).

I actually care more about bringing vulnerability detail in here than
about CVSS scores, so let me quote the above as if you did:

> > October 7th, 2025
> > 7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability
> > ZDI-25-949
> > ZDI-CAN-26753
> > CVE ID 	CVE-2025-11001
> > CVSS SCORE 	7.0, AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
> > AFFECTED VENDORS 	7-Zip
> > AFFECTED PRODUCTS 	7-Zip
> > VULNERABILITY DETAILS 	
> > 
> > This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this product is required to exploit this vulnerability but attack vectors may vary depending on the implementation.
> > 
> > The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of a service account.
> > ADDITIONAL DETAILS 	
> > 
> > Fixed in 7-Zip 25.00
> > 
> > DISCLOSURE TIMELINE 	
> > 
> >     2025-05-02 - Vulnerability reported to vendor
> >     2025-10-07 - Coordinated public release of advisory
> >     2025-10-07 - Advisory Updated
> > 
> > CREDIT 	Ryota Shiga (GMO Flatt Security Inc.) with takumi-san.ai

> However, CVE-2025-11001 is clearly different from CVE-2025-55188,
> as the advisory states that CVE-2025-11001 was patched in 25.00.
> My proof-of-concept symbolic link attack for CVE-2025-55188 works in
> version 25.00.
> 
> I am concerned that due to the low CVSS score of CVE-2025-55188, most users
> do not realize that 25.00 is still vulnerable to symbolic link attacks.
> 
> I've already tried contacting MITRE 8 times to update the description
> and CVSS score. I've only received one response, and that was that
> not enough public information was available.
> 
> I then published a proof-of-concept and vulnerability explanation
> (https://github.com/lunbun/CVE-2025-55188 and
> https://lunbun.dev/blog/cve-2025-55188/), but MITRE is still unresponsive
> to my update requests.
> 
> I suspect that MITRE is just busy with a huge backlog of CVE requests,
> but I am not sure what to do here. If anyone could offer any advice,
> I'd greatly appreciate it.

Yes, I suspect they're just busy.

There isn't any one authoritative source for CVSS scores.  In fact,
there are often different/conflicting CVSS scores (and their
corresponding different CVSS vectors) coming from different sources.

In this case, for CVE-2025-55188 the only score published by NVD is in
fact coming from MITRE, and it is:

3.6, CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

As to CVE-2025-11001, it is "reserved by a CNA" and not yet published,
so the higher score of 7.0 (which I've confirmed does match the vector)
remains ZDI's suggestion.  You can also make your suggestion e.g. in
this thread and in your blog - and it'd have similar (lack of) effect.

I hope this helps.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.