CVE-2025-8088 Technical Analysis: WinRAR Arbitrary File Write Through ADS

WinRAR is one of the most used archive utilities on Windows. It supports preserving and restoring NTFS-specific metadata, such as ADS (Alternate Data Streams). CVE-2025-8088 is present in the ADS-handling logic of specific WinRAR versions. In vulnerable versions, a malicious archive can influence the stream identifier used during extraction, with inadequate path normalization and validation in the ADS creation workflow enabling directory traversal.

CVE-2025-8088 is assessed as a high-severity issue, with a CVSS v4.0 base score of 8.4 (High), reflecting the potential for measurable security impact if a user extracts a specially crafted archive using a vulnerable version of WinRAR.

NTFS (New Technology File System) is the default filesystem for modern versions of Windows. Compared to FAT-based filesystems, NTFS supports advanced capabilities including ACLs (access control lists), EFS encryption, compression, hard links, reparse points (junctions and symlinks), and ADS. 

ADS is an NTFS feature that allows a single file or directory to contain multiple independent streams of data. The primary, user-visible content is stored in the unnamed default stream, commonly represented as ::$DATA, while additional named streams can be accessed using the syntax: 

filename.ext:streamname 

These named streams are not normally visible in standard Windows Explorer views, but they are fully supported by the filesystem and can be enumerated using supported tooling. For instance, dir /R can display alternate streams. 

WinRAR supports extracting archive entries that include ADS syntax. When such entries exist within an archive, WinRAR writes the corresponding content into the target file’s alternate stream during extraction. 

The RAR5 archives are stored as a sequence of blocks. Each block starts with a header that defines the block type and size information. It may optionally include an additional metadata area and a data area consisting of payload bytes, such as compressed content.

Block = Header + (optional Extra Area) + (optional Data Area)

RAR5 uses several block types. The relevant block types in the CVE are:

• File header (type 2): Describes a file entry in the archive (name/path, attributes, timestamps, compression parameters) and is followed by the file’s payload data

• Service header (type 3): Optional supplementary headers that store additional metadata associated with the archive or a specific file entry, such as ADS

ADS in the NTFS file system are represented by a Service header (type 3), referred to as STM. The service header’s data area contains the ADS stream bytes for the base file entry.

In simplified form:

WinRAR processes RAR5 archives as a sequence of blocks. During extraction, it iterates over these blocks, parses each block header, and validates header integrity using the embedded CRC32 before continuing. After a file entry is processed, WinRAR decompresses and writes the base file content to the disk, then determines whether additional NTFS-related metadata must be applied via associated service records. When an ADS (Alternate Data Stream) record is present, such as an STM service entry, WinRAR enters the ADS-handling path, combines the base file path with the stream name to form the ADS target, and creates the stream. 

Our graduate fellows performed a combination of static and dynamic analysis in a controlled lab environment using WinRAR 7.12. They located ADS-related logic by searching for the “STM” service marker in the binary and then confirmed the extraction-side code path at runtime.

WinRAR processes each RAR5 block by reading the block header, validating integrity fields, and dispatching to a block-type-specific handler. The block-processing entry point and the associated header parsing logic are shown in Figures 6-10, where WinRAR sets the file pointer to the current block offset, reads the initial header bytes, which include header type and size, and validates header integrity using CRC32 before continuing.

After successful validation, it parses additional header fields, such as flags, unpacked size, compression method, and optional checksums. Then, it processes the block body.

The ADS processing path is reached when WinRAR encounters a Service block. Service blocks use block type value 3. When a Service block is detected, WinRAR dispatches it to a service-header handler.

CVE-2025-8088 is practically exploitable in scenarios where an attacker induces a user to extract a crafted RAR archive using a vulnerable version of WinRAR. A typical delivery vector is social engineering, such as phishing, which leads the victim to trust a malicious archive and initiate extraction in a critical system.

The archive embeds an ADS (“STM”) service record. Its stream name is constructed to introduce traversal semantics. During extraction on NTFS, WinRAR processes the ADS record and derives the destination stream path from archive-controlled metadata. Because this ADS path construction is insufficiently constrained, the resolved target can fall outside the user-selected extraction directory, including critical locations such as the user’s startup folder.

To demonstrate CVE-2025-8088, our graduate fellows prepared a crafted RAR archive file containing an ADS (“STM”) service record with attacker-controlled fields. This archive is structured with an ADS stream name that includes traversal sequences. This structure influences the final target location during ADS handling, including the path passed to CreateFileW() when the stream is created. To ensure that WinRAR accepts the modified metadata and reaches the ADS-processing path, the relevant header CRC32 values are recomputed so the archive passes header integrity validation.