Proof-of-Concept for CVE-2025-8088 vulnerability in WinRAR (path traversal via ADS)# PoC for CVE-2025-8088: Path Traversal in WinRAR
## Vulnerability Description ☢️
CVE-2025-8088 (CVSS 8.4) is a path traversal vulnerability in WinRAR ≤7.12 that allows files to be placed outside the unpacking directory via alternate data streams (ADS) in a RAR archive. It is exploited to deliver malware to system folders such as Startup (%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup), for persistence.
-ame}"
with openThe archive contains a decoy file with ADS, the names of which include the sequences ..\ for traversal. When extracting, WinRAR places the stream content in the traversed path.
- ⚙️Techniques: Path traversal + NTFS ADS to hide the payload.
- ❗Danger: Automatically launches malware on reboot without notifying the user.
🟩Usage:
Install WinRAR (rar.exe in PATH).
Prepare the payload (for example, a bat script: echo Malware > %TEMP%\infected.txt).
Run: python poc.py --decoy resume.txt --payload evil.bat --out exploit.rar
Unpack exploit.rar in vulnerable WinRAR - the payload will end up in Startup.
🟥Disclaimer
For research only. The author is not responsible for misuse. Test in an isolated environment environment.
📄Sources: ESET Research, NVD.
[4.0K] /data/pocs/a5dc0aad2c7e75da17627e3a1366232a99841561
├── [1.0K] LICENSE
├── [2.4K] poc.py
└── [1.2K] README.md
0 directories, 3 files