- WinRAR flaw let crafted archives drop files outside target folder, including into Windows Startup
- New version 7.12 addresses critical path and HTML vulnerabilities
- Windows users urged to update WinRAR for improved file safety
Iconic file archiving tool WinRAR has received a security update addressing a serious flaw that could let attackers run arbitrary code on affected systems.
The vulnerability, tracked as CVE-2025-6218, was identified in the way WinRAR handles file paths within archives.
It was discovered by a researcher known as whs3-detonator, working with Trend Micro’s Zero Day Initiative.
Patch now
The issue exists in Windows versions of WinRAR, where a specially crafted archive can exploit path traversal during file extraction.
If a user opens such a file or visits a malicious site, the exploit can allow files to be placed in unintended directories, including sensitive ones like the Windows Startup folder.
This could cause malicious software to run automatically when the system boots.
RARLAB, the developer of WinRAR, has released version 7.12 to address this flaw.
The vulnerability does not affect versions of RAR or UnRAR for Unix or Android. Users are urged to update as soon as possible to reduce the risk of exploitation.
To stay protected from threats like this, it’s important to use the best antivirus software, reliable malware removal tools, and strong endpoint protection. Even well-known tools can have flaws, so running trusted security software and keeping all apps current helps reduce the risk of malware slipping through unnoticed.
The new WinRAR update also fixes an unrelated issue involving the “Generate Report” feature. In older versions, file names in generated HTML reports weren’t sanitized properly, which allowed basic HTML injection. That has now been corrected.
In addition to the security fixes, WinRAR 7.12 now tests recovery volumes during archive testing, giving users better confirmation that backup files are intact. It also preserves precise nanosecond timestamps when modifying Unix files on Windows.