CVE-2025-14111 Overview
A path traversal vulnerability has been identified in Rarlab RAR App up to version 7.11 Build 127 on Android. This security flaw affects the com.rarlab.rar component and allows remote attackers to perform arbitrary file write and read operations through path traversal techniques. The vulnerability has been publicly disclosed and requires upgrading to the patched version for remediation.
Critical Impact
Successful exploitation of this path traversal vulnerability could allow attackers to read or write arbitrary files on affected Android devices running vulnerable versions of RAR App, potentially leading to data theft or system compromise.
Affected Products
- Rarlab RAR App versions up to 7.11 Build 127 on Android
- Google Android (as the underlying operating system)
Discovery Timeline
- 2025-12-05 - CVE CVE-2025-14111 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2025-14111
Vulnerability Analysis
This path traversal vulnerability in the RAR for Android application allows attackers to manipulate file paths during archive extraction operations. The flaw resides in the com.rarlab.rar component, which fails to properly sanitize path sequences within archive entries. When processing specially crafted RAR archives, the application does not adequately validate directory traversal sequences (such as ../), enabling attackers to write files to arbitrary locations outside the intended extraction directory.
The vendor has explicitly confirmed this is a vulnerability affecting only RAR for Android, with WinRAR and Unix RAR versions remaining unaffected. The complexity of exploitation is noted as high, requiring specific conditions to be met for successful attack execution.
Root Cause
The root cause of this vulnerability is improper input validation (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) in the archive extraction functionality. The com.rarlab.rar component does not sufficiently sanitize file paths contained within archive entries before writing extracted files to the filesystem. This allows specially crafted archives containing path traversal sequences to escape the intended extraction directory.
Attack Vector
The attack vector is network-based, where an attacker can deliver a malicious RAR archive to a victim through various means such as email attachments, malicious downloads, or compromised websites. When the victim opens and extracts the malicious archive using the vulnerable RAR for Android application, the path traversal payload is executed, allowing files to be written to or read from arbitrary locations on the device's filesystem.
The exploitation requires user interaction (opening a malicious archive) and is considered highly complex to execute successfully. However, the vulnerability has been publicly disclosed, making the attack methodology known to potential threat actors. For detailed technical analysis, refer to the GitHub Vulnerability Report.
Detection Methods for CVE-2025-14111
Indicators of Compromise
- Presence of RAR App version 7.11 Build 127 or earlier on Android devices
- Unusual file creation or modification in directories outside expected extraction paths
- Evidence of recently extracted RAR archives with suspicious naming conventions or paths
- Unexpected files appearing in sensitive application directories or system folders
Detection Strategies
- Implement mobile device management (MDM) solutions to inventory and monitor installed application versions across the enterprise fleet
- Configure endpoint detection to alert on file write operations originating from RAR App that target directories outside the application sandbox
- Monitor for network downloads of RAR archives followed by suspicious filesystem activity
- Deploy SentinelOne Singularity Mobile to detect exploitation attempts and path traversal attacks on Android devices
Monitoring Recommendations
- Enable verbose logging for file system operations on managed Android devices
- Configure alerts for RAR App versions below 7.20 build 128 in enterprise environments
- Monitor application update compliance to ensure vulnerable versions are promptly upgraded
- Track file integrity in critical system and application directories
How to Mitigate CVE-2025-14111
Immediate Actions Required
- Upgrade RAR for Android to version 7.20 build 128 or later immediately
- Audit enterprise mobile devices for vulnerable RAR App installations using MDM solutions
- Educate users about the risks of opening RAR archives from untrusted sources
- Consider temporarily restricting RAR archive handling until all devices are patched
Patch Information
Rarlab has addressed this vulnerability in RAR for Android version 7.20 build 128. The vendor responded professionally to the disclosure and has publicly documented the fix in the version changelog. Organizations should update all Android devices running the vulnerable RAR App through the Google Play Store or enterprise application distribution channels.
The vendor has emphasized this vulnerability affects only RAR for Android; WinRAR and Unix RAR versions are not impacted and do not require patching for this specific issue.
Workarounds
- Temporarily uninstall RAR for Android on critical devices until the patch can be applied
- Use alternative archive extraction applications that are not affected by this vulnerability
- Implement network-level filtering to scan and quarantine potentially malicious RAR archives
- Configure mobile security policies to prevent sideloading of archives from untrusted sources
# Verify RAR App version on Android via ADB
adb shell dumpsys package com.rarlab.rar | grep versionName
# Expected output for patched version: versionName=7.20
# If version is 7.11 or below, update immediately via Google Play Store
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
