WinRAR patches bug letting malware launch from extracted archives

WinRAR has addressed a directory traversal vulnerability tracked as CVE-2025-6218 that, under certain circumstances, allows malware to be executed after extracting a malicious archive.

The flaw tracked as CVE-2025-6218 and assigned a CVSS score of 7.8 (high severity), was discovered by security researcher whs3-detonator who reported it through Zero Day Initiative on June 5, 2025.

It affects only the Windows version of WinRAR, from version 7.11 and older, and a fix was released in WinRAR version 7.12 beta 1, which was made available yesterday.

“When extracting a file, previous versions of WinRAR, Windows versions of RAR, UnRAR, portable UnRAR source code and UnRAR.dll can be tricked into using a path, defined in a specially crafted archive, instead of user specified path,” read the changelog notes.

A malicious archive could contain files with crafted relative paths tricking WinRAR into “silently” extracting those to sensitive locations like system directories and auto-run or startup folders.

If the archive’s contents are malicious, these files could launch automatically and trigger dangerous code execution the next time the user logs into Windows.

Although the programs will run with user-level access rather than administrative or SYSTEM rights, they can still steal sensitive data like browser cookies and saved passwords, install persistence mechanisms, or provide remote access for further lateral movement.

The risk of CVE-2025-6218 is contained by the fact that user interaction is required for its exploitation, like opening a malicious archive or visiting a specially crafted page.

However, it is very common for users to utilize old versions of WinRar, and as there are so many ways to distribute malicious archives, the risk remains very high.

Besides CVE-2025-6218, WinRAR 7.12 beta 1 also addresses an HTML injection in report generation problem reported by Marcin Bobryk, where archived file names containing < or > could be injected into the HTML report as raw HTML tags. This could enable HTML/JS injection if reports are opened in a web browser.

Two more minor issues fixed in the latest WinRAR release include incomplete testing of recovery volumes and timestamp precision loss for Unix records.

Although CVE-2025-6218 does not impact Unix versions, Android, and portable UnRAR source code, all users of WinRAR, regardless of the platform, are recommended to upgrade to the latest version immediately.

Currently, there are no reports about CVE-2025-6218, but given the widespread deployment of WinRAR globally and the history of hackers targeting the software, users should update to the latest version immediately.