The bug was related to the handling of symbolic links in ZIP files: a specially crafted archive could write data, including system paths, outside the target directory.
If a user opened such an archive, the attacker was able to inject malicious code with the rights of the current user. Both vulnerabilities received a CVSS score of 7.0 (high severity).
The problem has already been fixed in 7-Zip version 25.00, released in July 2025.
Note that the vulnerabilities were found by experts from GMO Flatt Security and takumi-san.ai. Experts strongly recommend that all users urgently update to the latest version to avoid possible attacks.
Source: Ferra
I am a professional journalist and content creator with extensive experience writing for news websites. I currently work as an author at Gadget Onus, where I specialize in covering hot news topics. My written pieces have been published on some of the biggest media outlets around the world, including The Guardian and BBC News.
