{"api_version":"1","generated_at":"2026-04-23T14:23:45+00:00","cve":"CVE-2018-20250","urls":{"html":"https://cve.report/CVE-2018-20250","api":"https://cve.report/api/cve/CVE-2018-20250.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-20250","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-20250"},"summary":{"title":"CVE-2018-20250","description":"In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path.","state":"PUBLIC","assigner":"cve@checkpoint.com","published_at":"2019-02-05 20:29:00","updated_at":"2019-10-09 23:39:00"},"problem_types":["CWE-22"],"metrics":[],"references":[{"url":"http://www.securityfocus.com/bid/106948","name":"106948","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"WinRAR Multiple Security Vulnerabilities","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://github.com/blau72/CVE-2018-20250-WinRAR-ACE","name":"https://github.com/blau72/CVE-2018-20250-WinRAR-ACE","refsource":"MISC","tags":["Exploit","Third Party Advisory"],"title":"GitHub - blau72/CVE-2018-20250-WinRAR-ACE: Proof of concept code in C# to exploit the WinRAR ACE file extraction path (CVE-2018-20250).","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://packetstormsecurity.com/files/152618/RARLAB-WinRAR-ACE-Format-Input-Validation-Remote-Code-Execution.html","name":"http://packetstormsecurity.com/files/152618/RARLAB-WinRAR-ACE-Format-Input-Validation-Remote-Code-Execution.html","refsource":"MISC","tags":["Third Party Advisory","VDB Entry"],"title":"RARLAB WinRAR ACE Format Input Validation Remote Code Execution ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.exploit-db.com/exploits/46552/","name":"46552","refsource":"EXPLOIT-DB","tags":["Exploit","Third Party Advisory","VDB Entry"],"title":"WinRAR 5.61 - Path Traversal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.rapid7.com/db/modules/exploit/windows/fileformat/winrar_ace","name":"http://www.rapid7.com/db/modules/exploit/windows/fileformat/winrar_ace","refsource":"MISC","tags":["Third Party Advisory"],"title":"RARLAB WinRAR ACE Format Input Validation Remote Code Execution","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.exploit-db.com/exploits/46756/","name":"46756","refsource":"EXPLOIT-DB","tags":["Exploit","Third Party Advisory","VDB Entry"],"title":"RARLAB WinRAR 5.61 - ACE Format Input Validation Remote Code Execution (Metasploit) - Windows local Exploit","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://research.checkpoint.com/extracting-code-execution-from-winrar/","name":"https://research.checkpoint.com/extracting-code-execution-from-winrar/","refsource":"MISC","tags":["Exploit","Third Party Advisory"],"title":"Extracting a 19 Year Old Code Execution from WinRAR - Check Point Research","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.win-rar.com/whatsnew.html","name":"https://www.win-rar.com/whatsnew.html","refsource":"MISC","tags":["Vendor Advisory"],"title":"WinRAR download and support: Whats New","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-20250","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-20250","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"20250","vulnerable":"1","versionEndIncluding":"5.61","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"rarlab","cpe5":"winrar","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":{"cve_year":"2018","cve_id":"20250","cve":"CVE-2018-20250","vendorProject":"RARLAB","product":"WinRAR","vulnerabilityName":"WinRAR Absolute Path Traversal Vulnerability","dateAdded":"2022-02-15","shortDescription":"WinRAR Absolute Path Traversal vulnerability leads to Remote Code Execution","requiredAction":"Apply updates per vendor instructions.","dueDate":"2022-08-15","knownRansomwareCampaignUse":"Known","notes":"https://nvd.nist.gov/vuln/detail/CVE-2018-20250","cwes":"CWE-36","catalogVersion":"2026.04.22","updated_at":"2026-04-22 20:03:11"},"epss":{"cve_year":"2018","cve_id":"20250","cve":"CVE-2018-20250","epss":"0.934620000","percentile":"0.998230000","score_date":"2026-04-22","updated_at":"2026-04-23 00:03:16"},"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@checkpoint.com","DATE_PUBLIC":"2019-02-05T00:00:00","ID":"CVE-2018-20250","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"WinRAR","version":{"version_data":[{"version_value":"All versions prior and including 5.61"}]}}]},"vendor_name":"Check Point Software Technologies Ltd."}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-36: Absolute Path Traversal"}]}]},"references":{"reference_data":[{"name":"https://github.com/blau72/CVE-2018-20250-WinRAR-ACE","refsource":"MISC","url":"https://github.com/blau72/CVE-2018-20250-WinRAR-ACE"},{"name":"https://research.checkpoint.com/extracting-code-execution-from-winrar/","refsource":"MISC","url":"https://research.checkpoint.com/extracting-code-execution-from-winrar/"},{"refsource":"EXPLOIT-DB","name":"46552","url":"https://www.exploit-db.com/exploits/46552/"},{"name":"106948","refsource":"BID","url":"http://www.securityfocus.com/bid/106948"},{"name":"https://www.win-rar.com/whatsnew.html","refsource":"MISC","url":"https://www.win-rar.com/whatsnew.html"},{"refsource":"MISC","name":"http://packetstormsecurity.com/files/152618/RARLAB-WinRAR-ACE-Format-Input-Validation-Remote-Code-Execution.html","url":"http://packetstormsecurity.com/files/152618/RARLAB-WinRAR-ACE-Format-Input-Validation-Remote-Code-Execution.html"},{"refsource":"MISC","name":"http://www.rapid7.com/db/modules/exploit/windows/fileformat/winrar_ace","url":"http://www.rapid7.com/db/modules/exploit/windows/fileformat/winrar_ace"},{"refsource":"EXPLOIT-DB","name":"46756","url":"https://www.exploit-db.com/exploits/46756/"}]}},"nvd":{"publishedDate":"2019-02-05 20:29:00","lastModifiedDate":"2019-10-09 23:39:00","problem_types":["CWE-22"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":7.8,"baseSeverity":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6.8},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:rarlab:winrar:*:*:*:*:*:*:*:*","versionEndIncluding":"5.61","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"20250","Ordinal":"140532","Title":"CVE-2018-20250","CVE":"CVE-2018-20250","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"20250","Ordinal":"1","NoteData":"In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path.","Type":"Description","Title":null},{"CveYear":"2018","CveId":"20250","Ordinal":"2","NoteData":"2019-02-05","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"20250","Ordinal":"3","NoteData":"2019-04-25","Type":"Other","Title":"Modified"}]}}}