M2Team
7-Zip 25 Update?
7-zip has been exposed to high-risk vulnerabilities, should nanazip be updated to version 25 as soon as possible?
The preview version has been updated, but the stable version has not yet been updated.
Read https://x.com/MouriNaruto/status/1965637950789779705 for the next stable release date.
Read https://github.com/M2Team/NanaZip/blob/main/Documents/Security.md for the current security policy of NanaZip.
I hope the release schedule will be improved after 6.0 stable release, because 6.0 development stage changes a lot, not only the implementation, but also the development team.
Kenji Mouri
"This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this product is required to exploit this vulnerability but attack vectors may vary depending on the implementation.
The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of a service account." https://www.zerodayinitiative.com/advisories/ZDI-25-949/
I believe this falls under "NanaZip mainly cares about the vulnerability type of running unauthorized logics".
Best regards,
"This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this product is required to exploit this vulnerability but attack vectors may vary depending on the implementation.
The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of a service account." https://www.zerodayinitiative.com/advisories/ZDI-25-949/
I believe this falls under "NanaZip mainly cares about the vulnerability type of running unauthorized logics".
Best regards,
But it may not be reproduced by NanaZip because NanaZip disables the dynamic code generation for most components.
Also NanaZip disables the child process creation for non File Manager part.
Kenji Mouri
The POC is proved on NanaZip 5.0.1263.0 and NanaZip Preview 6.0.1461.0. https://github.com/pacbypass/CVE-2025-11001/tree/main
The POC is proved on NanaZip 5.0.1263.0 and NanaZip Preview 6.0.1461.0. https://github.com/pacbypass/CVE-2025-11001/tree/main
It seems the issue is happened in 7-Zip's UI part. I need some time to update NanaZip's 7-Zip UI part to 25.01, this is one of things I‘m working on NanaZip 6.0 development work. (NanaZip has only updated the 7-Zip codec part and console command line part to 25.01 at the current stage.)
Kenji Mouri
The POC is proved on NanaZip 5.0.1263.0 and NanaZip Preview 6.0.1461.0. https://github.com/pacbypass/CVE-2025-11001/tree/main
It seems the issue is happened in 7-Zip's UI part. I need some time to update NanaZip's 7-Zip UI part to 25.01, this is one of things I‘m working on NanaZip 6.0 development work. (NanaZip has only updated the 7-Zip codec part and console command line part to 25.01 at the current stage.)
Kenji Mouri
I wonder if it's possible to backport UI part change to 5.x, since the current POC assumes user extract it via GUI.
The POC is proved on NanaZip 5.0.1263.0 and NanaZip Preview 6.0.1461.0. https://github.com/pacbypass/CVE-2025-11001/tree/main
It seems the issue is happened in 7-Zip's UI part. I need some time to update NanaZip's 7-Zip UI part to 25.01, this is one of things I‘m working on NanaZip 6.0 development work. (NanaZip has only updated the 7-Zip codec part and console command line part to 25.01 at the current stage.) Kenji Mouri
I wonder if it's possible to backport UI part change to 5.x, since the current POC assumes user extract it via GUI.
I'm sorry. It's really hard because I need to do some refactor work before porting. I don't have enough effort to maintain two different versions with the current implementation. But starting with NanaZip 6.0 will solve the issue because I will make that ready for maintaining two different versions a.k.a. stable and preview starting with NanaZip 6.0.
Kenji Mouri
The preview version has been updated, but the stable version has not yet been updated.
The preview version available from the Microsoft Store seems to be based on 7-Zip 24.09 (Inherit all features from 7-Zip 24.09, according to the description of its features), which is one of the vulnerable versions: 21.02 - 25.00.
The preview version available here on GitHub - NanaZip 6.0 Preview 1 (6.0.1461.0) Pre-release - seems to be based on 7-Zip 25.01 (Synchronize 7-Zip mainline implementations to 25.01).
@MouriNaruto, can you confirm if the latest GitHub preview version is safe from the vulnerabilities? Should we just install the MSIX package directly from here?
the latest GitHub preview version is safe from the vulnerabilities
It's not safe for some vulnerabilities because some issues caused by UI part of inherited 7-Zip mainline source code. Current NanaZip only updates the codecs, sfx stubs, and CLI console's source code because I didn't have enough time before to satisfied with both synchronization and modernization. But NanaZip 6.0 next previews and stable version will solve the issue because I'm working on moving UI implementations to latest inherited 7-Zip mainline source code. Also, I will have more time because NanaZip entered the community cooperate mode since NanaZip 6.0 a.k.a. having two active BDFLs. (https://github.com/M2Team/NanaZip/blob/main/Documents/People.md)
Kenji Mouri
Read https://x.com/MouriNaruto/status/1965637950789779705 for the next stable release date.
For those of us who won't visit Nazi Xitter, could someone post the content here?
Or perhaps it could be posted to https://bsky.app/profile/mourinaruto.bsky.social???
@HikariCalyx Could you get the build from here https://github.com/M2Team/NanaZip/pull/783 and check if the issue is fixed?
