Archive Extraction Path Traversal (β€œZip-Slip” / WinRAR CVE-2025-8088)

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Overview

Many archive formats (ZIP, RAR, TAR, 7-ZIP, etc.) allow each entry to carry its own internal path. When an extraction utility blindly honours that path, a crafted filename containing .. or an absolute path (e.g. C:\Windows\System32\) will be written outside of the user-chosen directory.
This class of vulnerability is widely known as Zip-Slip or archive extraction path traversal.

Consequences range from overwriting arbitrary files to directly achieving remote code execution (RCE) by dropping a payload in an auto-run location such as the Windows Startup folder.

Root Cause

  1. Attacker creates an archive where one or more file headers contain:
    • Relative traversal sequences (..\..\..\Users\\victim\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\payload.exe)
    • Absolute paths (C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\payload.exe)
    • Or crafted symlinks that resolve outside the target dir (common in ZIP/TAR on nix).
  2. Victim extracts the archive with a vulnerable tool that trusts the embedded path (or follows symlinks) instead of sanitising it or forcing extraction beneath the chosen directory.
  3. The file is written in the attacker-controlled location and executed/loaded next time the system or user triggers that path.

Real-World Example – WinRAR ≀ 7.12 (CVE-2025-8088)

WinRAR for Windows (including the rar / unrar CLI, the DLL and the portable source) failed to validate filenames during extraction.
A malicious RAR archive containing an entry such as:

..\..\..\Users\victim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payload.exe

would end up outside the selected output directory and inside the user’s Startup folder. After logon Windows automatically executes everything present there, providing persistent RCE.

Crafting a PoC Archive (Linux/Mac)

# Requires rar >= 6.x
mkdir -p "evil/../../../Users/Public/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup"
cp payload.exe "evil/../../../Users/Public/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/"
rar a -ep evil.rar evil/*

Options used:

  • -ep – store file paths exactly as given (do not prune leading ./).

Deliver evil.rar to the victim and instruct them to extract it with a vulnerable WinRAR build.

Observed Exploitation in the Wild

ESET reported RomCom (Storm-0978/UNC2596) spear-phishing campaigns that attached RAR archives abusing CVE-2025-8088 to deploy customised backdoors and facilitate ransomware operations.

Newer Cases (2024–2025)

7-Zip ZIP symlink traversal β†’ RCE (CVE-2025-11001 / ZDI-25-949)

  • Bug: ZIP entries that are symbolic links were dereferenced during extraction, letting attackers escape the destination directory and overwrite arbitrary paths. User interaction is just opening/extracting the archive.
  • Affected: 7-Zip 21.02–24.09 (Windows & Linux builds). Fixed in 25.00 (July 2025) and later.
  • Impact path: Overwrite Start Menu/Programs/Startup or service-run locations β†’ code runs at next logon or service restart.
  • Quick PoC (Linux): 
    mkdir -p out
ln -s /etc/cron.d evil
zip -y exploit.zip evil   # -y preserves symlinks
7z x exploit.zip -o/tmp/target   # vulnerable 7-Zip writes to /etc/cron.d
    On a patched build /etc/cron.d won’t be touched; the symlink is extracted as a link inside /tmp/target.

Go mholt/archiver Unarchive() Zip-Slip (CVE-2025-3445)

  • Bug: archiver.Unarchive() follows ../ and symlinked ZIP entries, writing outside outputDir.
  • Affected: github.com/mholt/archiver ≀ 3.5.1 (project now deprecated).
  • Fix: Switch to mholt/archives β‰₯ 0.1.0 or implement canonical-path checks before write.
  • Minimal reproduction: 
    // go test . with archiver<=3.5.1
archiver.Unarchive("exploit.zip", "/tmp/safe")
// exploit.zip holds ../../../../home/user/.ssh/authorized_keys

Detection Tips

  • Static inspection – List archive entries and flag any name containing ../, ..\\, absolute paths (/, C:) or entries of type symlink whose target is outside the extraction dir.
  • Canonicalisation – Ensure realpath(join(dest, name)) still starts with dest. Reject otherwise.
  • Sandbox extraction – Decompress into a disposable directory using a safe extractor (e.g., bsdtar --safe --xattrs --no-same-owner, 7-Zip β‰₯ 25.00) and verify resulting paths stay inside the directory.
  • Endpoint monitoring – Alert on new executables written to Startup/Run/cron locations shortly after an archive is opened by WinRAR/7-Zip/etc.

Mitigation & Hardening

  1. Update the extractor – WinRAR 7.13+ and 7-Zip 25.00+ implement path/symlink sanitisation. Both tools still lack auto-update.
  2. Extract archives with β€œDo not extract paths” / β€œIgnore paths” when possible.
  3. On Unix, drop privileges & mount a chroot/namespace before extraction; on Windows, use AppContainer or a sandbox.
  4. If writing custom code, normalise with realpath()/PathCanonicalize() before create/write, and reject any entry that escapes the destination.

Additional Affected / Historical Cases

  • 2018 – Massive Zip-Slip advisory by Snyk affecting many Java/Go/JS libraries.
  • 2023 – 7-Zip CVE-2023-4011 similar traversal during -ao merge.
  • 2025 – HashiCorp go-slug (CVE-2025-0377) TAR extraction traversal in slugs (patch in v1.2).
  • Any custom extraction logic that fails to call PathCanonicalize / realpath prior to write.

References

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks