CVE-2025-11002Path Traversal in 7zip

CWE-22Path Traversal7 documents6 sources
Severity
7.8HIGHNVD
EPSS
0.1%
top 67.96%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
7-zip P7zipDebian 7zipDebian P7zip+1 more
Timeline
PublishedJan 23

Description

7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this product is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories. An attacker can

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages5 packages

debiandebian/7zip< 7zip 25.00+dfsg-1 (forky)
debiandebian/p7zip< 7zip 25.00+dfsg-1 (forky)
Debian7-zip/p7zip< 16.02+transitional.1
CVEListV57-zip/7-zip24.09 (x64)
NVD7-zip/7-zip24.09

🔴Vulnerability Details

2
OSV
CVE-2025-11002: 7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability2026-01-23
GHSA
GHSA-6hqx-f664-v9xx: 7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability2026-01-23

📋Vendor Advisories

1
Debian
CVE-2025-11002: 7zip - 7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. ...2025

🕵️Threat Intelligence

3
Qualys
Active Exploitation of 7-Zip RCE Vulnerability Shows Why Manual Patching is No Longer an Option | Qualys2025-12-04
Qualys
Active Exploitation of 7-Zip RCE Vulnerability Shows Why Manual Patching is No Longer an Option2025-12-04
Wiz
CVE-2025-11002 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-11002 — Path Traversal in Debian 7zip | cvebase