Two major security vulnerabilities discovered in 7-Zip, affecting Windows users

7-Zip users on Windows are urged to update their software after the disclosure of two “path traversal” vulnerabilities, CVE-2025-11001 and CVE-2025-11002. These flaws arise from the way 7-Zip processes Unix-style symbolic links while extracting Zip archives, specifically within the ArchiveExtractCallback.cpp module. The issue occurs when an absolute path, such as c:\users, is treated as a relative link, which undermines extraction directory boundaries.

While these vulnerabilities allow attackers to craft archives that write files outside the intended extraction directory, successful exploitation currently requires specifically designed archives and either elevated privileges, developer mode, or execution in a high service context. Prototypes demonstrating the exploit have already been published.

Following responsible disclosure by Ryota Shiga of GMO Flatt Security and coordination with the Zero Day Initiative on October 7, both vulnerabilities have been assigned a CVSS score of 7.0, marking them as significant but not critical. All versions of 7-Zip from 21.02 to 24.09 are at risk, and the sole mitigation is to upgrade to version 25.00 or later, where stricter handling of symbolic links resolves the risk.