CVE-2025-55188 Overview
CVE-2025-55188 affects 7-Zip versions before 25.01. The archiver does not always properly handle symbolic links during extraction. An attacker who crafts a malicious archive can leverage symlink entries to cause file write or read operations outside the intended extraction directory. Exploitation requires the victim to extract a specially crafted archive on a system where 7-Zip can create symbolic links. The flaw is categorized under CWE-59: Link Following. The 7-Zip project addressed the issue in the 25.01 release.
Critical Impact
A crafted archive can redirect extraction through symbolic links, leading to file overwrite, arbitrary file placement, or unintended disclosure of files outside the target directory.
Affected Products
- 7-Zip versions prior to 25.01
- Windows, Linux, and macOS builds of 7-Zip that support symbolic link creation during extraction
- Third-party tools and workflows that bundle vulnerable 7-Zip binaries
Discovery Timeline
- 2025-08-08 - CVE-2025-55188 published to NVD
- 2025-08-09 - Issue announced on the OpenWall OSS-Security mailing list
- 2025-11-04 - Last updated in NVD database
Technical Details for CVE-2025-55188
Vulnerability Analysis
The vulnerability stems from improper handling of symbolic link entries inside archives during extraction. When 7-Zip processes an archive that contains symlink records, the extractor can follow or materialize those links in ways that allow file operations to land outside the chosen output directory. An attacker who controls archive contents can stage a symlink that points to a sensitive path, then include a regular file entry that writes through that link. The result is a write-where primitive constrained to the privileges of the user running 7-Zip. Researcher analysis published on the Lunbun blog describes how chained symlink entries can be used to escape the extraction root.
Root Cause
The root cause is insufficient validation of symbolic link targets and ordering of link materialization relative to file writes. 7-Zip created link entries during extraction without enforcing that subsequent writes remain within the destination directory. This link-following weakness aligns with [CWE-59].
Attack Vector
The attack requires local user interaction. A target user must open or extract a malicious .7z, .tar, or similar archive using a vulnerable 7-Zip build. The attack vector is local with low complexity, no privileges required on the attacker side, and user interaction required on the victim side. Common delivery methods include phishing attachments, drive-by downloads, and supply-chain pollution of shared archives. Successful extraction can place attacker-controlled content into sensitive locations such as startup directories, configuration files, or SSH key paths, enabling follow-on persistence or privilege escalation when combined with other primitives.
No verified public exploit code is included here. Technical write-ups and proof-of-concept material are available in the CVE-2025-55188 GitHub repository and the associated Lunbun blog post.
Detection Methods for CVE-2025-55188
Indicators of Compromise
- Files written outside the intended extraction directory following a 7-Zip extraction event
- Archives containing symbolic link entries whose targets reference absolute paths or .. traversal sequences
- Unexpected creation of symlinks in user profile, startup, or SSH key directories shortly after 7z.exe or 7zz execution
Detection Strategies
- Inventory installed 7-Zip versions across the fleet and flag any build earlier than 25.01
- Inspect archive contents prior to extraction using tooling that lists symlink entries and their targets
- Correlate process telemetry for 7z.exe, 7za.exe, and 7zz with subsequent file creation events outside the extraction working directory
Monitoring Recommendations
- Alert on symbolic link creation by archive utilities in sensitive paths such as startup folders, ~/.ssh, and system configuration directories
- Monitor endpoints for execution of 7-Zip binaries with version strings below 25.01 reported by software inventory feeds
- Capture file integrity monitoring events on directories adjacent to user download and extraction locations
How to Mitigate CVE-2025-55188
Immediate Actions Required
- Upgrade all 7-Zip installations to version 25.01 or later using the official release page
- Audit endpoint software inventories for legacy 7-Zip binaries embedded in third-party applications and remove or update them
- Treat archives from untrusted sources as hostile and extract them inside isolated, non-privileged sandboxes
Patch Information
The 7-Zip project fixed the symbolic link handling logic in version 25.01. Review the upstream version comparison between 25.00 and 25.01 for the specific source changes. Detection and mitigation guidance is also documented in the Vicarius detection guide and Vicarius mitigation guide.
Workarounds
- Disable symbolic link creation by extracting archives with a user account that lacks the privilege to create symlinks on Windows
- Extract untrusted archives into ephemeral containers or virtual machines before moving content to production systems
- Pre-screen archives by listing entries with 7z l -slt and rejecting any archive that contains symlink entries with suspicious targets
# Configuration example: verify installed 7-Zip version and reject archives with symlinks
7z --help | head -n 2
7z l -slt suspicious.7z | grep -E "Symbolic Link|Path ="
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
