CVE-2025-6218 PoC — RARLAB WinRAR Directory Traversal Remote Code Execution Vulnerability

Source

https://github.com/skimask1690/CVE-2025-6218-POC

Associated Vulnerability

Title:RARLAB WinRAR Directory Traversal Remote Code Execution Vulnerability (CVE-2025-6218)
Description:RARLAB WinRAR Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of RARLAB WinRAR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of file paths within archive files. A crafted file path can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27198.

Description

Proof of Concept for CVE-2025-6218, demonstrating the exploitation of a vulnerability in WinRAR versions 7.11 and under, involving improper handling of archive extraction paths.

Readme

# CVE-2025-6218 Proof of Concept (POC)

## Overview
This repository contains a simple Proof of Concept (POC) for **CVE-2025-6218**, demonstrating the exploitation of a vulnerability involving WinRAR’s handling of archive extraction paths. The POC batch script creates a ZIP archive that places a batch file into the Windows Startup folder, which runs `calc.exe` upon user login.

---

## How it Works

- The batch script (`CVE-2025-6218.bat`) generates a simple batch file (`POC.bat`) that runs the Windows Calculator (`calc.exe`).
- It then uses WinRAR to create a ZIP archive (`CVE-2025-6218.zip`) that is crafted to extract the batch file into the Windows Startup folder.
- The vulnerability is triggered when the ZIP archive is **right-clicked**, then **opened with WinRAR**, and extracted using the **"Extract to {folder}\"** option.
- Upon extraction, the batch file is placed in the Startup folder and will execute automatically on the next user login, demonstrating arbitrary code execution.

---

## Vulnerable Versions

- ✅ **Vulnerable**: WinRAR **7.11 and earlier**
- ❌ **Not vulnerable**: WinRAR **7.12 and later**  
  Users are strongly advised to update to the latest version to mitigate this vulnerability.

---

## Script Requirements

- WinRAR (any version) must be installed in the default location: `C:\Program Files\WinRAR\WinRAR.exe`

---

## Usage

1. Run the provided batch script (`CVE-2025-6218.bat`).
2. This creates `CVE-2025-6218.zip` with the crafted batch file inside.
3. To exploit the vulnerability:
   - **Right-click** the `CVE-2025-6218.zip` file.
   - Select **WinRAR**.
   - Use the **"Extract to {folder}\"** option inside WinRAR to extract the files.
4. The batch file will be extracted to the Windows Startup folder (`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup`), assuming that navigating two directories up from the current working directory leads to the user's home directory (%USERPROFILE%).
5. On the next user login, `calc.exe` will launch automatically.

---

## Disclaimer

This POC is for educational and testing purposes only. Use it responsibly and only on systems you own or have explicit permission to test. The author is not responsible for any misuse or damage caused by this code.

---

## License

[MIT License](LICENSE)

File Snapshot


 [4.0K]  /data/pocs/fffffb523b0da4b42e91da5f10c5b98597776386
├── [ 489]  CVE-2025-6218.bat
├── [ 311]  CVE-2025-6218.zip
├── [1.1K]  LICENSE
└── [2.3K]  README.md

0 directories, 4 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!