CVE-2025-66945
Published: 03 March 2026
Summary
CVE-2025-66945 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Zdir Zdir. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-66945, published on 2026-03-03, is a path traversal vulnerability in the ZIP extraction API of Zdir Pro 4.x. The issue affects the backend endpoint at /api/extract, where processing a crafted ZIP archive enables files to be written outside the intended directory. This can result in arbitrary file overwrites and potentially remote code execution. The vulnerability carries a CVSS 3.1 score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-787.
An unauthenticated remote attacker can exploit this vulnerability by submitting a specially crafted ZIP archive to the /api/extract endpoint. No user interaction or privileges are required, allowing low-complexity network-based attacks. Successful exploitation enables arbitrary file overwrites beyond the extraction directory, leading to high impacts on confidentiality and integrity, with potential escalation to remote code execution depending on the overwritten files.
Advisories providing details on mitigations and patches are available at https://github.com/kaliworld/Zdir-Pro-Zip-slip-vulnerability/ and https://zeroday.endlessparadox.com/posts/cve-2025-66945/.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208245
Vulnerability details
A path traversal vulnerability exists in the ZIP extraction API of Zdir Pro 4.x. When a crafted ZIP archive is processed by the backend at /api/extract, files may be written outside the intended directory, leading to arbitrary file overwrite and…
more
potentially remote code execution
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a path traversal in a public-facing web API endpoint (/api/extract) allowing unauthenticated remote arbitrary file overwrites via crafted ZIP, directly enabling exploitation of a public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of information inputs, directly preventing path traversal in ZIP extraction by sanitizing and canonicalizing file paths in crafted archives.
Mandates timely flaw remediation, directly addressing and patching the specific path traversal vulnerability in the /api/extract endpoint.
Enforces access controls to limit file write operations to the intended extraction directory, reducing the impact of unauthorized overwrites.