Hardware & Software WinRAR 7.12 Final released

[dEEpEst]

WinRAR 7.12 Final released​

Release date: 25.06.2025​

WinRAR Addresses Multiple Security Vulnerabilities and Functional Improvements in Latest Software Update​

Berlin, June 25th 2025: WinRAR, the leading file compression and archiving software, has just launched version 7.12, resolving a serious security vulnerability affecting earlier versions. These updates demonstrate our commitment to protecting our users and maintaining the integrity and trustworthiness of the WinRAR ecosystem.

SECURITY FIXES​

1. Directory Traversal Remote Code Execution Vulnerability (ZDI-CAN-27198)

In previous versions of WinRAR, as well as RAR, UnRAR, UnRAR.dll, and the portable UnRAR source code for Windows, a specially crafted archive containing arbitrary code could be used to manipulate file paths during extraction. User interaction is required to exploit this vulnerability, which could cause files to be written outside the intended directory.

This flaw could be exploited to place files in sensitive locations — such as the Windows Startup folder — potentially leading to unintended code execution on the next system login.

This issue affects only Windows-based builds. Versions of RAR and UnRAR for Unix, the portable source code on Unix, and RAR for Android are not affected.

We thank whs3-detonator, working with Trend Micro’s Zero Day Initiative, for responsibly reporting this vulnerability.

2. HTML Injection via Archived File Names in Report Generation

Older versions of WinRAR’s “Generate Report” feature included archived file names in the generated HTML without sanitization, allowing file names with HTML tags (e.g., <script>) to be injected into the report. This has been fixed by escaping < and > characters to neutral HTML entities, preventing injection.

This link is hidden for visitors. Please Log in or register now.