# REPRO-2026-00090: WinRAR ADS Path Traversal — Arbitrary Code Execution via Crafted Archive (CVE-2025-8088)

## Summary
Status: published
Severity: high
Type: security
Confidence: Unknown

## Identifiers
REPRO ID: REPRO-2026-00090
GHSA: GHSA-832g-3rcm-wcrf
CVE: CVE-2025-8088

## Package
Name: Unknown
Ecosystem: Unknown
Affected: Unknown
Fixed: Unknown

## Root Cause
## Summary
CVE-2025-8088 is a path traversal flaw in WinRAR for Windows that allows archives containing Alternate Data Streams (ADS) to write files outside the chosen extraction directory. A crafted RAR with ADS entries can drop a payload into the user's Startup folder when extracted, enabling arbitrary code execution on next login.

## Impact
- Package/component affected: WinRAR for Windows (and Windows UnRAR/UnRAR.dll/portable UnRAR).
- Affected versions: WinRAR <= 7.12 (patched in 7.13).
- Risk level and consequences: High. A crafted archive can write files outside the destination, enabling persistence and code execution (e.g., Startup folder payloads).

## Root Cause
WinRAR's handling of ADS entries allows path traversal through relative path components (..\) embedded in ADS stream names. When extracting a RAR with ADS entries, WinRAR resolves traversal segments relative to the extraction path and permits writing the ADS payload into unintended locations (e.g., Startup folder). WinRAR 7.13 release notes indicate this was fixed, suggesting validation was added to prevent traversal outside the destination.

## Reproduction Steps
1. Run `repro/reproduction_steps.sh` (wrapper for PowerShell script).
2. The script installs WinRAR 7.12, downloads a public PoC generator, patches it to avoid PDF dependencies, generates an exploit RAR with multiple ADS traversal depths, then extracts it with WinRAR's `rar.exe` CLI.
3. Evidence of reproduction is a `payload.bat` written to the user Startup folder and logged output indicating "Issue confirmed."

## Evidence
- Logs: `logs/repro-<timestamp>.log` (created per run).
- Key excerpt (from successful runs):
  - "WinRAR version: 7.12.0"
  - "Exploit created: exploit.rar"
  - "VULNERABLE: payload written to startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payload.bat"
- Environment: Windows sandbox, WinRAR 7.12 installed via rarlab installer, Python 3.12 used to run PoC generator.

## Recommendations / Next Steps
- Upgrade WinRAR to 7.13 or later on Windows hosts.
- If WinRAR cannot be upgraded immediately, disable ADS handling or block extraction of untrusted archives.
- Add regression tests that extract crafted ADS archives and ensure no writes occur outside the destination directory.

## Additional Notes
- Idempotency: `repro/reproduction_steps.ps1` was run twice successfully; both runs produced the Startup payload and exited 0.
- Limitation: The PoC relies on ADS traversal; Linux/Unix builds are not affected per vendor advisory.


## Reproduction Details
Reproduced: 2026-02-17T11:15:27.049Z
Duration: 7423 seconds
Tool calls: 548
Turns: 1
Handoffs: 2


## Quick Verification
Run one of these commands to verify locally:

    pruva-verify REPRO-2026-00090
    pruva-verify GHSA-832g-3rcm-wcrf
    pruva-verify CVE-2025-8088

Or open in GitHub Codespaces (zero-friction, auto-runs):

    https://github.com/codespaces/new?ref=repro/REPRO-2026-00090&repo=N3mes1s/pruva-sandbox

Or download and run the script manually:

    curl -O https://api.pruva.dev/v1/reproductions/REPRO-2026-00090/artifacts/repro/reproduction_steps.sh
    chmod +x reproduction_steps.sh
    ./reproduction_steps.sh

WARNING: Run in a sandboxed environment. This exploits a real vulnerability.

## References
- GitHub Advisory: https://github.com/advisories/GHSA-832g-3rcm-wcrf
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-8088


## Artifacts
- repro/rca_report.md (analysis, 2556 bytes)
- repro/reproduction_steps.sh (reproduction_script, 161 bytes)
- bundle/ticket.md (ticket, 1727 bytes)
- bundle/ticket.json (other, 5158 bytes)
- bundle/source.json (other, 2640 bytes)
- repro/reproduction_steps.ps1 (other, 4263 bytes)

## API Access
- JSON: https://api.pruva.dev/v1/reproductions/REPRO-2026-00090
- Script: https://api.pruva.dev/v1/reproductions/REPRO-2026-00090/artifacts/repro/reproduction_steps.sh
- Web: https://pruva.dev/r/REPRO-2026-00090

## For AI Assistants
To help users with this reproduction:
1. The `pruva-verify` command is the simplest way to run the reproduction
2. The script downloads and runs automatically in an isolated temp directory
3. Always recommend running in a VM, container, or disposable environment
4. The root cause explains the technical vulnerability

---
Generated by Pruva | https://pruva.dev