CVE-2025-66945

CriticalPublic PoC

Published: 03 March 2026

Published

03 March 2026

Modified

04 March 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0020 41.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A path traversal vulnerability exists in the ZIP extraction API of Zdir Pro 4.x. When a crafted ZIP archive is processed by the backend at /api/extract, files may be written outside the intended directory, leading to arbitrary file overwrite and…

potentially remote code execution

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of information inputs, directly preventing path traversal in ZIP extraction by sanitizing and canonicalizing file paths in crafted archives.

SI-2 Flaw Remediation good match

prevent

Mandates timely flaw remediation, directly addressing and patching the specific path traversal vulnerability in the /api/extract endpoint.

AC-3 Access Enforcement partial match

prevent

Enforces access controls to limit file write operations to the intended extraction directory, reducing the impact of unauthorized overwrites.

Security SummaryAI

CVE-2025-66945, published on 2026-03-03, is a path traversal vulnerability in the ZIP extraction API of Zdir Pro 4.x. The issue affects the backend endpoint at /api/extract, where processing a crafted ZIP archive enables files to be written outside the intended directory. This can result in arbitrary file overwrites and potentially remote code execution. The vulnerability carries a CVSS 3.1 score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-787.

An unauthenticated remote attacker can exploit this vulnerability by submitting a specially crafted ZIP archive to the /api/extract endpoint. No user interaction or privileges are required, allowing low-complexity network-based attacks. Successful exploitation enables arbitrary file overwrites beyond the extraction directory, leading to high impacts on confidentiality and integrity, with potential escalation to remote code execution depending on the overwritten files.

Advisories providing details on mitigations and patches are available at https://github.com/kaliworld/Zdir-Pro-Zip-slip-vulnerability/ and https://zeroday.endlessparadox.com/posts/cve-2025-66945/.

Details

CWE(s): CWE-787

Affected Products

zdir

4.1.1 — 4.6.2

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is a path traversal in a public-facing web API endpoint (/api/extract) allowing unauthenticated remote arbitrary file overwrites via crafted ZIP, directly enabling exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/kaliworld/Zdir-Pro-Zip-slip-vulnerability/
Exploit, Third Party Advisory, Mitigation · cve@mitre.org
https://zeroday.endlessparadox.com/posts/cve-2025-66945/
Exploit, Third Party Advisory · cve@mitre.org