CVE-2025-66945 Overview
A path traversal vulnerability exists in the ZIP extraction API of Zdir Pro 4.x. When a crafted ZIP archive is processed by the backend at /api/extract, files may be written outside the intended directory, leading to arbitrary file overwrite and potentially remote code execution. This vulnerability, commonly known as "Zip Slip," allows attackers to escape the designated extraction directory by embedding malicious path sequences within archive entries.
Critical Impact
Successful exploitation enables attackers to overwrite arbitrary files on the target system, potentially achieving remote code execution by overwriting application configuration files, scripts, or executables.
Affected Products
- Zdir Pro 4.x
- Zdir Zdir (all versions per CPE: cpe:2.3:a:zdir:zdir:*:*:*:*:*:*:*:*)
Discovery Timeline
- 2026-03-03 - CVE-2025-66945 published to NVD
- 2026-03-04 - Last updated in NVD database
Technical Details for CVE-2025-66945
Vulnerability Analysis
This path traversal vulnerability affects the ZIP extraction functionality exposed through the /api/extract endpoint in Zdir Pro 4.x. The core issue lies in insufficient validation of file paths contained within ZIP archive entries before extraction. When the application processes a ZIP file, it fails to properly sanitize or validate the destination paths of archived files, allowing malicious archives to specify paths that traverse outside the intended extraction directory using sequences like ../.
The vulnerability enables an attacker to craft a malicious ZIP archive containing files with specially constructed path names. When this archive is uploaded and processed by the vulnerable API, the extracted files are written to locations outside the intended target directory. This can result in overwriting critical system or application files, potentially leading to remote code execution if executable files or configuration files are overwritten with attacker-controlled content.
Root Cause
The root cause is improper input validation in the ZIP extraction routine. The application fails to properly sanitize file path entries within the ZIP archive before writing extracted files to disk. Specifically, the extraction logic does not adequately check for directory traversal sequences (such as ../ or ..\) embedded in the archived file names, nor does it verify that the resolved destination path remains within the intended extraction directory boundary.
This is classified under CWE-787 (Out-of-bounds Write), as the vulnerability allows writing data outside the expected memory/file location boundaries. The vulnerability also exhibits characteristics of path traversal (CWE-22) where input containing directory traversal sequences is not properly neutralized.
Attack Vector
The attack vector is network-based, requiring no authentication and no user interaction. An attacker can exploit this vulnerability by:
- Crafting a malicious ZIP archive containing entries with path traversal sequences in their file names (e.g., ../../etc/cron.d/malicious)
- Uploading the crafted ZIP archive to the vulnerable Zdir Pro instance
- Triggering the extraction process via the /api/extract API endpoint
- The malicious files are written outside the intended extraction directory, potentially overwriting sensitive system files
The exploitation mechanism relies on creating a ZIP archive where the file entry names include path traversal sequences. When the application extracts the archive without proper validation, files are written to unintended locations on the filesystem.
For detailed technical analysis and proof-of-concept information, refer to the GitHub PoC Repository and the ZeroDay CVE-2025-66945 Analysis.
Detection Methods for CVE-2025-66945
Indicators of Compromise
- Unexpected files appearing in system directories outside the Zdir upload/extraction paths
- Modified timestamps on critical configuration files or executables that coincide with ZIP extraction activity
- Log entries showing requests to /api/extract endpoint with subsequent file system anomalies
- Presence of files with unusual naming patterns that suggest path traversal origins
Detection Strategies
- Monitor HTTP traffic to the /api/extract endpoint for suspicious ZIP upload activity
- Implement file integrity monitoring (FIM) on critical system directories and application configuration files
- Analyze web server logs for unusual patterns of archive extraction requests
- Deploy endpoint detection rules that alert on file writes to sensitive directories following web application activity
Monitoring Recommendations
- Enable detailed logging for all ZIP extraction operations in Zdir Pro
- Configure alerts for file modifications in directories outside the designated upload/extraction paths
- Monitor for new cron jobs, startup scripts, or modified executables that appear after extraction operations
- Implement network monitoring to detect large file uploads to the /api/extract endpoint
How to Mitigate CVE-2025-66945
Immediate Actions Required
- Restrict access to the /api/extract endpoint to trusted users or networks only
- Implement web application firewall (WAF) rules to inspect and block malicious ZIP uploads
- Consider disabling the ZIP extraction functionality until a patch is available
- Review file system permissions to limit the web application's write access to only necessary directories
Patch Information
Consult the vendor advisory and the GitHub PoC Repository for the latest patch information. Organizations should apply security updates from Zdir as soon as they become available. Monitor the official Zdir channels for security advisories addressing this vulnerability.
Workarounds
- Implement input validation at the application or reverse proxy level to reject ZIP files containing entries with path traversal sequences
- Configure the web server or application container to run with minimal filesystem permissions
- Use chroot or containerization to isolate the Zdir application and limit the impact of directory traversal attacks
- Deploy a reverse proxy with request inspection capabilities to filter potentially malicious ZIP uploads before they reach the application
# Example: Restrict write permissions for the web application user
# Limit the application's ability to write outside designated directories
chmod 755 /var/www/zdir
chown -R www-data:www-data /var/www/zdir/uploads
# Consider using AppArmor or SELinux profiles to further restrict file access
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
