A critical security vulnerability has been discovered in 7-Zip, the popular file compression utility, that allows attackers to perform arbitrary file writes during archive extraction, potentially leading to code execution.
The vulnerability, tracked as CVE-2025-55188, affects all versions of 7-Zip prior to 25.01 and has prompted security researchers to recommend immediate updates.
The vulnerability stems from improper handling of symbolic links during archive extraction. Security researcher lunbun discovered that 7-Zip before version 25.01 does not always properly validate symbolic links when extracting maliciously-crafted archives.
This oversight allows attackers to create unsafe symbolic links that can redirect file operations outside the intended extraction directory.
When 7-Zip follows these manipulated symbolic links during extraction, it enables attackers to write files to arbitrary locations on the target system.
This arbitrary file write capability can be leveraged to achieve unauthorized access and code execution by overwriting critical system files, SSH keys, or shell startup scripts like .bashrc.
The attack is particularly effective on Linux systems where users can extract archives containing symbolic links in formats such as ZIP, TAR, 7Z, or RAR.
On Windows systems, exploitation requires additional conditions such as Administrator privileges or Developer Mode to create symbolic links.
7-Zip Vulnerability
Despite the potentially severe impact, CVE-2025-55188 has been assigned a CVSS score of only 2.7, which the vulnerability discoverer disputes as significantly underreported.
Lunbun expressed concern that MITRE has “severely underreported this vulnerability” compared to what was submitted in the original CVE form, noting the discrepancy between the low official rating and the actual arbitrary file write and code execution capabilities.
The researcher has submitted a request for MITRE to reevaluate the CVSS score and offered to provide proof-of-concept demonstrations to package repository maintainers who need additional verification.
This controversy highlights ongoing challenges in accurately assessing the risk posed by archive extraction vulnerabilities, particularly those involving symbolic link manipulation.
Security experts emphasize that while the CVSS score suggests low severity, the impact can be severe if attackers can control archive contents and the extraction environment.
Multiple successful exploitation attempts within a single extraction can target various sensitive files simultaneously, amplifying the potential damage.
7-Zip 25.01 Addresses Security Gap
The vulnerability has been resolved in 7-Zip version 25.01, released on August 3, 2025.
The update includes enhanced security measures for handling symbolic links during archive extraction, with the development team noted that “the code for handling symbolic links has been changed to provide greater security when extracting files from archives”.
A new command-line switch -snld20 has been introduced to bypass default security checks when creating symbolic links, providing administrators with controlled flexibility while maintaining security by default.
This approach ensures backward compatibility for legitimate use cases while protecting against malicious exploitation.
Since 7-Zip lacks an automatic update mechanism, users must manually download and install the latest version from the official website.
Organizations should prioritize updating all 7-Zip installations, especially on systems that regularly process archives from external sources.
Security teams should also implement additional safeguards such as restricting archive processing to sandboxed environments and avoiding extraction of archives from untrusted sources until systems are updated.
The discovery of CVE-2025-55188 follows a pattern of archive-related vulnerabilities in 7-Zip, including previous vulnerabilities like CVE-2024-11477 and CVE-2025-0411, underscoring the importance of maintaining current versions of widely-used archiving software.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
