Cyber Resilience

CVE-2022-44900

CriticalPublic PoC

Published: 06 December 2022

Published
06 December 2022
Modified
23 April 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.2501 96.3th percentile
Risk Priority 33 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-44900 is a critical-severity Path Traversal (CWE-22) vulnerability in Py7Zr Project Py7Zr. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 3.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

A directory traversal vulnerability exists in the SevenZipFile.extractall() function of the py7zr Python library versions 0.20.0 and earlier. The flaw, tracked as CWE-22, permits extraction of a specially crafted 7z archive to write files to arbitrary locations on the filesystem. It carries a CVSS 3.1 base score of 9.1, reflecting network attack vector, low complexity, and no required authentication or user interaction.

An attacker can supply a malicious 7z file to any application or service that uses the affected py7zr library to extract archives from untrusted sources. Successful exploitation results in the ability to overwrite or create arbitrary files, which can lead to code execution, configuration changes, or other impacts on confidentiality and integrity.

Public references include a GitHub commit that addresses the issue in the py7zr repository along with proof-of-concept material on Packet Storm. The EPSS score reached a peak of 0.3328 and currently stands at 0.2501.

EU & UK References

Vulnerability details

A directory traversal vulnerability in the SevenZipFile.extractall() function of the python library py7zr v0.20.0 and earlier allows attackers to write arbitrary files via extracting a crafted 7z file.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

py7zr project
py7zr
≤ 0.20.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References