7-Zip users on Windows are urged to update their software after the disclosure of two “path traversal” vulnerabilities, CVE-2025-11001 and CVE-2025-11002.
All versions of 7-Zip from 21.02 to 24.09 are at risk, and the sole mitigation is to upgrade to version 25.00 or later, where stricter handling of symbolic links resolves the risk.
Windows supports symbolic links?
Actually, they are called Junctions on Windows!
Windows barely supports them, and they are essentially in a limbo of being deprecated and being supported with Microsoft changing how to do them locally whenever. Introduced in Windows 10.
Junctions aren’t really the equivalent to symbolic links from my understanding because:
- they only work on directories
- they make use of NTFS functionality and as such, can only link between local NTFS drives
Symbolic links do actually exist: https://learn.microsoft.com/en-us/windows/win32/fileio/creating-symbolic-links
Interestingly, relative symbolic links can’t cross volumes, which kind of makes sense (“Relative symbolic links are restricted to a single volume.”) - volumes are namespaced anyways, so if you know you need to access another one, using an absolute symlink makes more sense.
Yeah, junctions would be most similar to a mount point. Though you can also mount one directory under another, so it’s more like a directory hardlink in that case.
And symlinks were actually introduced in Vista, but for some reason you needed to be an Admin to create one. With Win10 they removed that restriction, but for some reason kept it behind a “developer mode” anyway, it’s strange.
Though you can also mount one directory under another, so it’s more like a directory hardlink in that case.
It sounds a lot like a bind mount at filesystem level
Yes, thank you! I knew there was something like it on the *nix side, but the only thing that was coming to mind was overlayfs, which ain’t it.
I thought Windows was trying to be more like Linux :(
I stopped taking Windows seriously after Windows 2000
Windows 2000 was released before I was born.
But I did use 2000 in a 86Box emulated machine. It just feels so good to use. Professional users were treated well!
Windows 2000 was released before I was born.
… bruh 👴🏻
Oof, right in the middle age!
But yeah, it was the most polished and performant Windows for years - lean and mean. I completely skipped the candy-coated bullshit of XP and eventually had to move to 7 solely for hardware compatibility reasons when I finally had the money to buy modern gaming hardware. What a disappointment that was.
They missed out on 98, that was my bread and butter. My last windows PC dies this month, then we’ll be a *bian household
I grew up with Vista and 7, and so have a very soft spot for it.
I use Linux daily, but my nostalgia VM is on Vista with plenty of period correct games! Running in VMWare I found the huge coincidence that the display driver has enough overhead to run the games realistically for that period!
7z on Linux is all good though?
I guess? It’s to do with Unix-Windows path conversions, so I assume Unix-like systems aren’t affected.
