CVE-2025-14111

A security vulnerability has been detected in Rarlab RAR App up to 7.11 Build 127 on Android. This affects an unknown part of the component com.rarlab.rar. Such manipulation leads to path traversal. It is possible to launch the attack remotely. Attacks of this nature are highly complex. It is indicated that the exploitability is difficult. The exploit has been disclosed publicly and may be used. Upgrading to version 7.20 build 128 is able to mitigate this issue. You should upgrade the affected component. The vendor responded very professional: "This is the real vulnerability affecting RAR for Android only. WinRAR and Unix RAR versions are not affected. We already fixed it in RAR for Android 7.20 build 128 and we publicly mentioned it in that version changelog. (...) To avoid confusion among users, it would be useful if such disclosure emphasizes that it is RAR for Android only issue and WinRAR isn't affected."

CVSS v3 5.0 MEDIUM
CVSS v2.0 5.1 MEDIUM

5.0^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

5.1^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:H/Au:N/C:P/I:P/A:P

Exploitability : 4.9 / Impact : 6.4

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/Secsys-FDU/AF_CVEs/blob/main/com.rarlab.rar/RAR%20APP%20Arbitrary%20File%20Write%20and%20Read%20Vulnerability.md	Exploit Third Party Advisory
https://vuldb.com/?ctiid.334491	Permissions Required VDB Entry
https://vuldb.com/?id.334491	Third Party Advisory VDB Entry
https://vuldb.com/?submit.697375	Third Party Advisory VDB Entry
https://github.com/Secsys-FDU/AF_CVEs/blob/main/com.rarlab.rar/RAR%20APP%20Arbitrary%20File%20Write%20and%20Read%20Vulnerability.md	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:rarlab:rar:*:*:*:*:*:*:*:*

cpe:2.3:o:google:android:-:*:*:*:*:*:*:*

History

29 Apr 2026, 01:00

Type	Values Removed	Values Added
Summary		(es) Una vulnerabilidad de seguridad ha sido detectada en la aplicación Rarlab RAR hasta la versión 7.11 Build 127 en Android. Esto afecta una parte desconocida del componente com.rarlab.rar. Dicha manipulación conduce a un salto de ruta. Es posible lanzar el ataque de forma remota. Los ataques de esta naturaleza son altamente complejos. Se indica que la explotabilidad es difícil. El exploit ha sido divulgado públicamente y puede ser utilizado. La actualización a la versión 7.20 build 128 puede mitigar este problema. Debería actualizar el componente afectado. El proveedor respondió de forma muy profesional: 'Esta es la vulnerabilidad real que afecta solo a RAR para Android. Las versiones de WinRAR y Unix RAR no están afectadas. Ya lo solucionamos en RAR para Android 7.20 build 128 y lo mencionamos públicamente en el registro de cambios de esa versión. (...) Para evitar confusiones entre los usuarios, sería útil que dicha divulgación enfatice que es un problema exclusivo de RAR para Android y que WinRAR no está afectado.'

12 Dec 2025, 12:45

Type	Values Removed	Values Added
CPE		cpe:2.3:o:google:android:-:::::::* cpe:2.3:a:rarlab:rar::::::::
First Time		Rarlab Google Google android Rarlab rar
References	~~() https://github.com/Secsys-FDU/AF_CVEs/blob/main/com.rarlab.rar/RAR%20APP%20Arbitrary%20File%20Write%20and%20Read%20Vulnerability.md -~~	() https://github.com/Secsys-FDU/AF_CVEs/blob/main/com.rarlab.rar/RAR%20APP%20Arbitrary%20File%20Write%20and%20Read%20Vulnerability.md - Exploit, Third Party Advisory
References	~~() https://vuldb.com/?ctiid.334491 -~~	() https://vuldb.com/?ctiid.334491 - Permissions Required, VDB Entry
References	~~() https://vuldb.com/?id.334491 -~~	() https://vuldb.com/?id.334491 - Third Party Advisory, VDB Entry
References	~~() https://vuldb.com/?submit.697375 -~~	() https://vuldb.com/?submit.697375 - Third Party Advisory, VDB Entry

08 Dec 2025, 18:15

Type	Values Removed	Values Added
References	~~() https://github.com/Secsys-FDU/AF_CVEs/blob/main/com.rarlab.rar/RAR%20APP%20Arbitrary%20File%20Write%20and%20Read%20Vulnerability.md -~~	() https://github.com/Secsys-FDU/AF_CVEs/blob/main/com.rarlab.rar/RAR%20APP%20Arbitrary%20File%20Write%20and%20Read%20Vulnerability.md -

05 Dec 2025, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-12-05 23:15

Updated : 2026-04-29 01:00

NVD link : CVE-2025-14111

Mitre link : CVE-2025-14111

CVE.ORG link : CVE-2025-14111

JSON object : View

Products Affected

rarlab

google

android

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

5.0 /10