What is the 7-Zip security vulnerability CVE-2025-55188?

CVE-2025-55188 is a security vulnerability in 7-Zip file compression software that allows attackers to execute arbitrary code through maliciously crafted archives. The vulnerability is caused by unsafe handling of symbolic links during archive extraction, enabling attackers to write files to arbitrary locations outside the intended extraction directory.

What is the CVSS score for CVE-2025-55188?

The vulnerability has been assigned a CVSS score of 2.7. However, the security researcher who discovered the flaw disputes this low rating and believes the severity has been underreported by MITRE.

Which versions of 7-Zip are affected by this vulnerability?

All versions of 7-Zip prior to version 25.01 are affected by this vulnerability, including both Community Edition and Enterprise deployments.

What operating systems are vulnerable to CVE-2025-55188?

Both Linux and Windows systems are vulnerable, but with different requirements. On Linux, the vulnerability can be triggered when extracting archive formats that support symbolic links. On Windows, successful exploitation requires that the 7-Zip extraction process has the capability to create symbolic links, which typically requires Administrator privileges or Windows Developer Mode to be enabled.

When was the fix for this vulnerability released?

7-Zip version 25.01, which fixes the CVE-2025-55188 vulnerability, was released on August 3, 2025.

Advisory

Vulnerability in 7-Zip archive software enables arbitrary file write and code execution

Q: What file formats can be used to exploit this vulnerability?

The vulnerability can be exploited through archive formats that support symbolic links, including ZIP, TAR, 7Z, and RAR files when processed by vulnerable 7-Zip versions.

Q: Who discovered the 7-Zip vulnerability and when?

The vulnerability was discovered and reported by security researcher lunbun on August 9, 2025.

Q: What can attackers accomplish by exploiting this vulnerability?

Attackers can execute arbitrary code on victim systems and write files to arbitrary locations on the target system outside the intended extraction directory. This can be used to overwrite critical files such as SSH keys, .bashrc files, or other system configurations.

Q: How can users protect themselves from CVE-2025-55188?

Users should update to 7-Zip version 25.01, which was released on August 3, 2025, and addresses this vulnerability with comprehensive security improvements to symbolic link handling during archive extraction. Organizations and users should review the advisories and update if it's not a blocker for other functions.

published: Aug. 11, 2025

Take action: Unless there is some breaking relationship in your code, update your 7-Zip software to version 25.01 or later. Even though there are prerequisites to this exploit and a debate on the severity, a malicious archive has the risk to harm your system. So better safe than sorry.

Learn More

A security vulnerability has been discovered in the widely-used 7-Zip file compression software that could allow attackers to execute arbitrary code on victim systems through maliciously crafted archives.

The vulnerability is tracked as CVE-2025-55188 (CVSS score 2.7) and is caused by handling of symbolic links during archive extraction in all versions of 7-Zip prior to 25.01. When users extract maliciously crafted archives containing unsafe symbolic links, 7-Zip follows these links during the extraction process, enabling attackers to write files toa arbitrary locations on the target system outside the intended extraction directory. This flaw can be used to overwrite SSH keys, .bashrc files, or other system configurations.

On Linux systems, the vulnerability can be triggered when users extract archive formats that support symbolic links, including ZIP, TAR, 7Z, and RAR files using vulnerable 7-Zip versions.

Windows systems have additional prerequisites for successful exploitation. The 7-Zip extraction process must possess the capability to create symbolic links, which typically requires Administrator privileges or Windows Developer Mode to be enabled.

The flaw was discovered and reported by security researcher lunbun on August 9, 2025. The researcher disputes the low CVSS rating and believes the severity has been underreported by MITRE.

The vulnerability affects all versions of 7-Zip prior to 25.01, encompassing both the Community Edition and Enterprise deployments.

7-Zip version 25.01, released on August 3, 2025, addresses this vulnerability with comprehensive security improvements to symbolic link handling during archive extraction.

Organizations and users should review the advisories and if not a blocker for other functions they should update to 7-Zip 25.01.

Vulnerability in 7-Zip archive software enables arbitrary file write and code execution