CVE-2022-30333
CVE-2022-30333 is a high-severity vulnerability in Rarlab Unrar with a CVSS 3.x base score of 7.5. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-08-09). The underlying weakness is classified as CWE-22.
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- CVSS v2: 5.0
- EPSS exploit prediction: 99% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-08-09)
- EU (EUVD) id: EUVD-2022-52276
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-08-09)
- Weakness: CWE-22
- Affected product: Rarlab Unrar
- Published:
- Last modified:
Description
RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected.
CVE-2022-30333: UnRAR Path Traversal Enables Arbitrary File Write on Linux/UNIX
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE | CVE-2022-30333 |
| CVSS v3.1 | 7.5 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
| CVSS v2 | 5.0 (MEDIUM) — AV:N/AC:L/Au:N/C:N/I:P/A:N |
| CWE | CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| EPSS | 0.98975 (99.92nd percentile) |
| KEV | Yes — added 2022-08-09 |
| EU Exploited | Yes — since 2022-08-09 |
| Published | 2022-05-09 |
Summary
RARLAB UnRAR before version 6.12 on Linux and UNIX platforms fails to sanitize pathnames during archive extraction. A maliciously crafted RAR archive can traverse out of the intended destination directory and write files to arbitrary locations on the filesystem. This was publicly demonstrated by overwriting ~/.ssh/authorized_keys, which can lead to remote code execution via SSH access. WinRAR and Android RAR are not affected.
Background
UnRAR is the official command-line extraction utility for RAR archives, widely deployed on Linux servers, mail gateways, and web applications that accept archive uploads. Because many platforms and services automatically unpack incoming archives to inspect contents or extract attachments, UnRAR is often exposed to untrusted input in automated workflows. The vulnerability was discovered and reported in the context of a Zimbra mail-server exploitation chain, where an unauthenticated attacker could achieve pre-authentication remote code execution by combining this flaw with other techniques.
Root Cause
The vulnerability stems from CWE-22: Path Traversal. During the extraction process, UnRAR does not adequately validate or normalize file paths within the archive. An attacker can embed directory-traversal sequences (e.g., ../../../) into filenames or directory entries inside a RAR archive. When UnRAR processes these entries, it resolves the path relative to the extraction target without sufficient boundary checks, ultimately writing files outside the intended directory.
The root cause is an insufficient input-validation layer in the pathname-handling logic specific to the Linux/UNIX build of UnRAR; the Windows and Android code paths were not affected because they rely on different filesystem APIs and path-resolution semantics.
Impact
The CVSS v3.1 vector scores this vulnerability at 7.5 (HIGH) with the following characteristics:
- Attack Vector (AV): Network — the vulnerability can be exploited remotely.
- Attack Complexity (AC): Low — no special conditions are required.
- Privileges Required (PR): None — the attacker does not need credentials.
- User Interaction (UI): None — exploitation can be fully automated.
- Scope (S): Unchanged — the vulnerable component is the only one impacted.
- Confidentiality (C): None — no direct information disclosure.
- Integrity (I): High — arbitrary files can be created or overwritten.
- Availability (A): None — no direct denial-of-service effect.
The primary risk is integrity compromise: an attacker who can cause an affected system to extract a malicious archive can plant backdoors, modify startup scripts, or overwrite authentication keys. In the Zimbra attack chain, this was escalated to full unauthenticated remote code execution.
The EPSS score of 0.98975 places this vulnerability in the top 0.08% of all CVEs by probability of exploitation, and its presence on both the CISA KEV catalog and the EU exploited-vulnerability database confirms active, in-the-wild exploitation.
Exploitation Walkthrough
Ethics caveat: This section describes the vulnerability mechanism from a defensive and analytical perspective only. No weaponized exploit code is provided. The goal is to help defenders understand attack surface and detection opportunities.
An attacker constructs a RAR archive containing a file whose internal pathname includes directory-traversal sequences pointing to a sensitive target, such as:
../../../home/targetuser/.ssh/authorized_keys
When the victim system (or an automated service) invokes an affected version of UnRAR to extract the archive, the traversal sequences are resolved against the current working directory or the specified output path. Because the vulnerable UnRAR build does not block traversal above the extraction root, the file is written to the attacker's chosen absolute path. If the attacker supplies a valid SSH public key, they gain passwordless SSH access as the targeted user.
Key prerequisites for exploitation:
- The target system runs a vulnerable Linux/UNIX build of UnRAR.
- The attacker can deliver a malicious RAR archive to a workflow that automatically extracts it.
- The extraction process has sufficient filesystem permissions to write to the target path.
Affected and Patched Versions
Affected:
- RARLAB UnRAR for Linux and UNIX — all versions before 6.12
- Debian Linux 10.0 (ships vulnerable unrar packages)
- SUSE Linux Enterprise Server 12 SP5 and related SKUs (unrar < 5.6.1-4.8.1)
Not Affected:
- WinRAR (Windows)
- Android RAR
Patched:
- RARLAB UnRAR 6.12 and later for Linux/UNIX
Remediation
- Upgrade UnRAR to version 6.12 or later on all Linux and UNIX systems. The vendor provides updated binaries at the official RARLAB download page.
- Apply distribution patches if you rely on OS package managers:
- Debian LTS has issued updates (see DLA-3507-1).
- Gentoo has published GLSA 202309-04.
- SUSE has released SUSE-SU-2022:1760-1.
- Compensating controls (where immediate patching is not possible):
- Sandbox archive-extraction processes inside containers or chroot jails with minimal write permissions.
- Run extraction services under dedicated low-privilege accounts that cannot write to system directories or user home folders.
- Validate extracted file paths programmatically before use, rejecting any entries that resolve outside the intended destination directory.
- Consider disabling automatic extraction of RAR archives in untrusted ingestion pipelines.
Detection
- Filesystem monitoring: Alert on unexpected writes to
~/.ssh/authorized_keys,/etc/cron.d/,/etc/systemd/system/, or other sensitive paths immediately following an UnRAR process invocation. - Process auditing: Monitor command-line invocations of
unrarorunrar-nonfree, especially those executed by web-server, mail-server, or automation-service accounts. - EDR/SIEM rules: Correlate UnRAR process events with subsequent SSH login successes from new or unknown source IPs.
- Static asset scanning: Inventory all systems running UnRAR and flag versions below 6.12.
Assessment
CVE-2022-30333 is a textbook example of how a seemingly routine utility — an archive extractor — can become a critical attack vector when exposed to untrusted input. The extremely high EPSS score (0.98975) and confirmed KEV/EU-exploited status mean that threat actors have already weaponized this flaw at scale. The Zimbra exploitation chain demonstrated that path traversal in file-processing utilities is not merely a theoretical concern; in practice it can bridge the gap from a benign file upload to full server compromise.
Key lessons:
- Sanitize every pathname produced during archive extraction; never trust filenames embedded in third-party archive formats.
- Assume all file-processing utilities are security-critical when they handle untrusted input; patch them with the same urgency as internet-facing daemons.
References
- http://packetstormsecurity.com/files/167989/Zimbra-UnRAR-Path-Traversal.html
- https://blog.sonarsource.com/zimbra-pre-auth-rce-via-unrar-0day/
- https://lists.debian.org/debian-lts-announce/2023/08/msg00022.html
- https://security.gentoo.org/glsa/202309-04
- https://www.rarlab.com/rar/rarlinux-x32-612.tar.gz
- https://www.rarlab.com/rar_add.htm
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-30333
Frequently asked questions
- What is CVE-2022-30333?
- RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected.
- How severe is CVE-2022-30333?
- CVE-2022-30333 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity high, and availability none.
- Is CVE-2022-30333 being actively exploited?
- Yes. CVE-2022-30333 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-08-09, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2022-30333?
- CVE-2022-30333 primarily affects Rarlab Unrar. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2022-30333?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2022-30333 have an EU (EUVD) identifier?
- Yes. CVE-2022-30333 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2022-52276. It is also flagged as exploited in the EUVD (since 2022-08-09).
- When was CVE-2022-30333 published?
- CVE-2022-30333 was published on 2022-05-09 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/167989/Zimbra-UnRAR-Path-Traversal.html
- https://blog.sonarsource.com/zimbra-pre-auth-rce-via-unrar-0day/
- https://lists.debian.org/debian-lts-announce/2023/08/msg00022.html
- https://security.gentoo.org/glsa/202309-04
- https://www.rarlab.com/rar/rarlinux-x32-612.tar.gz
- https://www.rarlab.com/rar_add.htm
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-30333
Affected products (2)
- cpe:2.3:a:rarlab:unrar:*:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
More vulnerabilities in Rarlab Unrar
- CVE-2017-12942 — Critical (CVSS 9.8): libunrar.a in UnRAR before 5.5.7 has a buffer overflow in the Unpack::LongLZ function.
- CVE-2017-12941 — Critical (CVSS 9.8): libunrar.a in UnRAR before 5.5.7 has an out-of-bounds read in the Unpack::Unpack20 function.
- CVE-2017-12940 — Critical (CVSS 9.8): libunrar.a in UnRAR before 5.5.7 has an out-of-bounds read in the EncodeFileName::Decode call within the…
- CVE-2012-6706 — Critical (CVSS 9.8): A VMSF_DELTA memory corruption was discovered in unrar before 5.5.5, as used in Sophos Anti-Virus Threat Detection…
- CVE-2017-14122 — Critical (CVSS 9.1): unrar 0.0.1 (aka unrar-free or unrar-gpl) suffers from a stack-based buffer over-read in unrarlib.c, related to…
- CVE-2018-25018 — High (CVSS 7.8): UnRAR 5.6.1.7 through 5.7.4 and 6.0.3 has an out-of-bounds write during a memcpy in QuickOpen::ReadRaw when called from…
All CVEs affecting Rarlab Unrar →
Other CWE-22 (Path Traversal) vulnerabilities
- CVE-2026-48282 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted…
- CVE-2026-54917 — Critical (CVSS 10.0): SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables. Prior to 4.30, the…
- CVE-2026-11429 — Critical (CVSS 10.0): Two endpoints in the Vault Service ScriptsController, shared by Altium Enterprise Server and Altium 365, accept file…
- CVE-2026-34909 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to…
- CVE-2026-7411 — Critical (CVSS 10.0): In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel…
- CVE-2026-36767 — Critical (CVSS 10.0): A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary…