7-Zip: Information on closed security gaps available

With version 25.00 of 7-Zip, the developer closed some security gaps in July. Until now, however, it was unclear which ones. Trend Micro's Zero-Day Initiative (ZDI) has now published information on some of the security vulnerabilities that have been fixed.

According to the ZDI, the first vulnerability concerns the handling of symbolic links in ZIP files. Manipulated ZIP files can cause the process to move to unintended directories. Attackers can misuse this to execute code in the service account (CVE-2025-11002, CVSS 7.0, risk “high”). The description of the second vulnerability by the ZDI reads identically (CVE-2025-11001, CVSS 7.0, risk “high”).

The version history of 7-Zip now also indicates two further security vulnerabilities that version 25.00 closes. However, these are very vague. “7-Zip may work incorrectly with some incorrect RAR archives,” it says, but the CVE entry specifies that zeros can end up outside a heap buffer when processing RAR5 formats and thus lead to memory changes, which in turn can trigger a denial of service (DoS) (CVE-2025-53816 / EUVD-2025-21791, CVSS 5.5, risk “medium”). Incorrect COM archives (compound file) can also lead to a crash, which, according to the vulnerability description in the CVE entry, is due to a null pointer dereference during processing (CVE-2025-53817 / EUVD-2025-21790, CVSS 5.5, risk “medium”).

Further update available

Another update of 7-Zip to version 25.01 in August went a little under the radar. It corrects a problem where symbolic links are not always processed correctly. The developer does not mention the effects, but it is a security-relevant error (CVE-2025-5518 / EUVD-2025-24018, CVSS 3.6, risk “low”).

As 7-Zip still does not include an automatic update check, users of the software must update to the latest version manually. It is available for download on the 7-Zip download page.

(dmk)