WinRAR Windows Path Traversal via NTFS Alternate Data Streams (CVE-2025-8088)
by ESET (discovery/analysis); pexlexity (PoC) · 2026-07-01
- Severity
- High
- CVE
- CVE-2025-8088
- Category
- misc
- Affected product
- WinRAR (Windows)
- Affected versions
- Prior to WinRAR 7.13
- Disclosed
- 2026-07-01
- Patch status
- patched
Tags
References
Archive entry
intelseclab/poc-archiveMetadata
| Field | Value |
|---|---|
| Date Added | 2026-07-01 |
| Last Updated | 2025-07 |
| Author / Researcher | ESET (discovery/analysis); pexlexity (PoC) |
| CVE / Advisory | CVE-2025-8088 |
| Category | misc |
| Severity | High |
| CVSS Score | 8.4 (CVSSv3) |
| Status | Weaponized |
| Tags | path-traversal, WinRAR, NTFS, Alternate-Data-Streams, RomCom, Storm-0978, persistence, startup-folder, in-the-wild |
| Related | CVE-2025-6218 |
Affected Target
| Field | Value |
|---|---|
| Software / System | WinRAR (Windows) |
| Versions Affected | Prior to WinRAR 7.13 |
| Language / Platform | Python (PoC generator) |
| Authentication Required | No (victim must open/extract the crafted archive) |
| Network Access Required | No (local file processing; delivered via phishing/decoy document) |
Summary
CVE-2025-8088 is a path traversal vulnerability in the Windows version of WinRAR. A specially crafted RAR archive abuses NTFS Alternate Data Streams (ADS) combined with ..\ traversal sequences so that, when opened or extracted by a vulnerable WinRAR build, files are written outside the intended extraction directory. Reported real-world exploitation (attributed to RomCom / Storm-0978) used decoy documents visible to the victim while hidden ADS-backed entries dropped attacker-controlled files into sensitive locations such as the Windows Startup folder, enabling follow-on execution of LNK, HTA, VBScript, or PowerShell loaders on next login. This is a distinct vulnerability from the earlier CVE-2025-6218 WinRAR path-traversal bug already in this archive. Patched in WinRAR 7.13 (July 2025).
Vulnerability Details
Root Cause
WinRAR’s Windows extraction logic does not fully sanitize NTFS Alternate Data Stream names combined with relative path traversal sequences (..\) embedded in archive entry filenames, allowing extraction to write outside the target directory.
Attack Vector
- Attacker crafts a RAR archive containing a decoy document (visible to the victim) plus one or more ADS-backed entries using traversal sequences.
- Victim opens/extracts the archive with a vulnerable WinRAR build.
- WinRAR writes the hidden payload to an attacker-chosen path outside the extraction directory (e.g., the Startup folder).
- Payload executes automatically on next user login, achieving persistence and code execution.
Impact
Arbitrary file write on the victim’s Windows filesystem, commonly leveraged for persistence and eventual code execution via auto-run locations.
Environment / Lab Setup
Target: Windows host with WinRAR < 7.13 installed
Attacker: Python 3
Proof of Concept
PoC Script
See
poc.pyin this folder.
| |
Crafts a .rar archive combining a visible decoy document with an ADS + ..\ traversal entry that, when extracted by a vulnerable WinRAR build, drops the payload into the Windows Startup folder for persistence.
Detection & Indicators of Compromise
Signs of compromise:
- New LNK/HTA/VBS/PS1 files in the Startup folder shortly after opening an email attachment/archive
- Phishing emails with RAR attachments containing a plausible decoy document
- Endpoint telemetry showing WinRAR.exe writing files outside the user-selected extraction path
Remediation
| Action | Detail |
|---|---|
| Primary fix | Upgrade to WinRAR 7.13 or later |
| Mitigation | Restrict/monitor write access to auto-run locations (Startup folder, Run keys) |
| User awareness | Treat unsolicited RAR attachments, even with plausible decoy content, as suspicious |
References
Notes
Auto-ingested from https://github.com/pexlexity/WinRAR-CVE-2025-8088-Path-Traversal-PoC on 2026-07-01. This CVE has an unusually large number of independent public PoC repositories (25+), indicating the bug is trivial to reproduce; pexlexity was selected as a clean, minimal, verified reference implementation. Not to be confused with CVE-2025-6218 (a different WinRAR path-traversal bug already tracked in this archive).
| |