Login Sign Up

CVE-2025-52331

6.1 MEDIUM
Cross-Site Scripting

📋 TL;DR

A cross-site scripting vulnerability in WinRAR's generate report function allows attackers to inject malicious HTML into reports, potentially disclosing user information like computer username, report directory, and IP address. This affects users of WinRAR 7.11 who generate and open reports. User interaction is required as victims must open a maliciously crafted report.

💻 Affected Systems

Products:
  • Rarlab WinRAR
Versions: 7.11
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the generate report functionality; requires user to open the generated report.

📦 What is this software?

Winrar by Rarlab

View all CVEs affecting Winrar →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal sensitive user information, execute arbitrary scripts in the user's context, or redirect to malicious sites for further exploitation.

🟠

Likely Case

Information disclosure of system details (username, IP, directory paths) which could aid in targeted attacks or reconnaissance.

🟢

If Mitigated

Limited impact if users avoid opening untrusted reports or have script-blocking browser extensions.

🌐 Internet-Facing: LOW
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user interaction (opening a malicious report); proof-of-concept details are publicly available in the GitHub gist reference.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor websites for updates beyond 7.11

Vendor Advisory: https://www.rarlab.com/rarnew.htm

Restart Required: No

Instructions:

1. Visit https://www.win-rar.com/download.html. 2. Download and install the latest version of WinRAR. 3. Verify the version is updated beyond 7.11.

🔧 Temporary Workarounds

Disable Generate Report Functionality

windows

Avoid using the generate report feature in WinRAR to prevent exploitation.

Use Browser Security Settings

all

Configure browsers to block scripts or open reports in a sandboxed environment.

🧯 If You Can't Patch

  • Educate users to never open WinRAR reports from untrusted sources.
  • Implement application whitelisting to restrict execution of WinRAR reports.

🔍 How to Verify

Check if Vulnerable:

Check WinRAR version: if it is 7.11, it is vulnerable. Use the generate report function with a test payload to see if HTML injection occurs.

Check Version:

Open WinRAR, go to Help > About WinRAR, and check the version number.

Verify Fix Applied:

Update WinRAR to the latest version and retest the generate report function; ensure no HTML injection occurs.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file access patterns related to report generation
  • User reports of unexpected behavior when opening WinRAR reports

Network Indicators:

  • Outbound connections to suspicious domains triggered by report opening

SIEM Query:

Search for process executions of WinRAR with command-line arguments containing 'report' or file extensions like .html/.htm from WinRAR directories.

📊 Metadata

CVE ID: CVE-2025-52331
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.04% exploit probability (11.6th percentile)
Published: November 12, 2025
Last Updated: December 31, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-52331, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)