Published: 2025-12-05T23:15:46.643
Overview
A security vulnerability, identified as CVE-2025-14111, has been discovered in RAR for Android, specifically affecting versions up to 7.11 Build 127. This vulnerability allows for path traversal, potentially enabling attackers to access or manipulate files outside of the intended application directory. It’s crucial to update your RAR for Android application to version 7.20 build 128 or later to mitigate this risk.
Technical Details
The vulnerability resides within the com.rarlab.rar component of the RAR for Android application. By crafting malicious input, an attacker can exploit the path traversal vulnerability to write files to arbitrary locations on the device. While the exploitability is considered difficult due to the complexity of the attack, a public exploit is available, increasing the urgency of patching this vulnerability.
CVSS Analysis
- Severity: MEDIUM
- CVSS Score: 5.0
Possible Impact
Successful exploitation of this vulnerability could lead to:
- Arbitrary File Write: An attacker could potentially overwrite sensitive system files, leading to denial of service or system instability.
- Data Leakage: An attacker might gain unauthorized access to sensitive data stored on the device.
- Code Execution: In some scenarios, if the attacker is able to write executable code to a specific location, they could potentially achieve code execution.
Mitigation or Patch Steps
The most effective mitigation is to upgrade RAR for Android to version 7.20 build 128 or later. This update contains the necessary fix to address the path traversal vulnerability. Please update via the Google Play Store or your preferred method of application update.
References
Important Note from the Vendor: “This is the real vulnerability affecting RAR for Android only. WinRAR and Unix RAR versions are not affected. We already fixed it in RAR for Android 7.20 build 128 and we publicly mentioned it in that version changelog. (…) To avoid confusion among users, it would be useful if such disclosure emphasizes that it is RAR for Android only issue and WinRAR isn’t affected.”