CVE-2025-0332

High

Published: 12 February 2025

Published

12 February 2025

Modified

03 July 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0019 41.0th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

In Progress® Telerik® UI for WinForms, versions prior to 2025 Q1 (2025.1.211), using the improper limitation of a target path can lead to decompressing an archive's content into a restricted directory.

Security Summary

CVE-2025-0332 is a path traversal vulnerability (CWE-22) in Progress Telerik UI for WinForms, affecting versions prior to 2025 Q1 (2025.1.211). The issue arises from improper limitation of a target path, which can enable the decompression of an archive's content into a restricted directory. Published on 2025-02-12, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A local attacker can exploit this vulnerability with low attack complexity and no required privileges, but user interaction is necessary. By providing a malicious archive, the attacker can trick a user into decompressing it via the affected component, allowing arbitrary file placement in restricted directories and resulting in high impacts to confidentiality, integrity, and availability.

The Telerik knowledge base advisory at https://docs.telerik.com/devtools/winforms/knowledge-base/kb-security-path-traversal-cve-2025-0332 provides details on the issue, with mitigation achieved by updating to Telerik UI for WinForms 2025 Q1 (2025.1.211) or later.

Details

CWE(s): CWE-22

Affected Products

progress

telerik ui for winforms

≤ 2025.1.211

References

https://docs.telerik.com/devtools/winforms/knowledge-base/kb-security-path-traversal-cve-2025-0332
Vendor Advisory · security@progress.com