Main Vulnerability Database SB2025080901

SB2025080901 - Path traversal leading to RCE in WinRAR

Published: August 9, 2025 Updated: May 15, 2026

Security Bulletin ID SB2025080901

CSH Severity

Critical

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Path traversal (CVE-ID: CVE-2025-8088)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences inside archives. A remote attacker can trick the victim into opening specially crafted archive and overwrite arbitrary files on the system, leading to remote code execution.

Note, the vulnerability is being actively exploited in the wild.

Remediation

Install update from vendor's website.

References

https://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=283&cHash=a64b4a8f662d3639dec8d65f47bc93c5