WinRAR releases patch to address a directory transversal vulnerability that enabled attackers to execute arbitrary code.

WinRAR has recently addressed a critical directory traversal vulnerability identified as CVE-2025-6218, which could allow attackers to execute arbitrary code on affected systems. The vulnerability was discovered by security researcher “whs3-detonator” and reported through Trend Micro’s Zero Day Initiative.

How the Vulnerability Works

The flaw exists in how WinRAR processes file paths within archive files. By embedding directory traversal sequences (such as ../) in specially crafted archive entries, an attacker can trick WinRAR into writing files to unintended directories—such as sensitive system folders or the Windows startup folder—instead of the user-specified extraction path. If a malicious file is placed in a critical directory, it could be executed automatically the next time the user logs in or restarts their computer, potentially leading to a full compromise of the system’s confidentiality, integrity, and availability.

While no public proof-of-concept (PoC) exploit code is available, the following is a non-functional pseudocode representation of the attack vector, based on vulnerability descriptions.

malicious_archive = create_archive(
    files = [
        {
            "name": "../../Windows/Start Menu/Programs/Startup/<a class="glossaryLink" aria-describedby="tt" data-cmtooltip="<div class=glossaryItemTitle>Malware</div><div class=glossaryItemBody> Short for &quot;malicious software,&quot; including viruses, worms, and trojan horses. </div><div class=glossaryTooltipMoreLinkWrapper><a class=glossaryTooltipMoreLink href=https://www.spartechsoftware.com/glossary/malware/ >Term details</a></div>" href="https://www.spartechsoftware.com/glossary/malware/" data-mobile-support="0" data-gt-translate-attributes="[{"attribute":"data-cmtooltip", "format":"html"}]" tabindex="0" role="link" data-wpel-link="internal">malware</a>.exe",
            "content": [malicious_executable_bytes]
        }
    ]
)

malicious_archive = create_archive(
    files = [
        {
            "name": "../../Windows/Start Menu/Programs/Startup/malware.exe",
            "content": [malicious_executable_bytes]
        }
    ]
)

Affected Products

• Windows versions of WinRAR (v7.11 and earlier)
• Windows versions of RAR, UnRAR, portable UnRAR source code, and UnRAR.dll

Not affected

Unix versions, portable UnRAR source code for Unix, UnRAR library for Unix, and RAR for Android

Exploitation Requirements

• User interaction is required: The victim must open a malicious archive file, typically delivered via phishing emails, malvertising, or compromised websites.
• Privileges: The attack executes in the context of the current user, so no administrative rights are required.

Severity

The vulnerability has been assigned a CVSS v3.0 score of 7.8, indicating a high risk.

Patch and Mitigation

WinRAR version 7.12 Beta 1, released on June 10, 2025, addresses this vulnerability. Users are strongly advised to update to this version or later as soon as possible to protect their systems. Since WinRAR does not have an automatic update feature, users must manually download and install the latest version.