Description
py7zr is a Python-based library and utility to support 7zip archive compression, decompression, encryption and decryption. Versions 1.1.2 and below contain an an arbitrary file write vulnerability, which allows symbolic links to be recreated outside the destination directory via crafted malicious symbolic link chains. When using extractall to extract an archive, the library restores these symbolic links, linking them to arbitrary directories on the host file system. During extraction, the program only checks the link arcname within the destination directory, but ignores the combined symlink path resolution. Attackers can exploit this vulnerability by constructing malicious archives, thereby bypassing the directory boundary restrictions implemented by the extractor. Subsequent extraction of regular files through these symbolic links can result in arbitrary file writes. This vulnerability may lead to remote code execution, privilege escalation, data corruption, or denial of service. This issue has been fixed in version 1.1.3.
Published: 2026-06-24
Score: 8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw lies in py7zr’s extraction routine, where symbolic links inside a 7zip archive are recreated without fully resolving the symlink chain. This allows a crafted archive to place links that point outside the intended destination directory. When the extractor subsequently processes files via these links, it can overwrite arbitrary files on the host, potentially injecting malicious code, corrupting data, or disrupting services. The vulnerability is classified as CWE‑59, indicating absolute pathname traversal. As a result, the impact can range from local file corruption to full remote code execution if the extraction occurs with privileged permissions.

Affected Systems

miurahr’s py7zr library is affected. All releases up to and including version 1.1.2 are vulnerable; the fix is available in release 1.1.3 and later. Applications that call the extractall function on untrusted archives and that use any of the impacted versions are at risk.

Risk and Exploitability

The CVSS score of 8 denotes high severity, but no EPSS data is available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is that an attacker supplies a malicious archive to an application that imports or extracts data using py7zr. Because the flaw is not triggered by network activity alone, the attacker must have a way to deliver the crafted archive to the target’s extraction code—such as via file upload or API payload. Once the archive is extracted, the attacker can create symbols that point to system files or directories, enabling arbitrary file writes. Although no public exploits have been recorded, the combination of a high severity rating and the realistic exploitation path suggests that the vulnerability should be remediated promptly.

Generated by OpenCVE AI on June 24, 2026 at 21:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to py7zr version 1.1.3 or later to eliminate unsafe symlink handling.
  • If an upgrade is not immediately possible, run the extraction in a restricted or sandboxed environment to limit access to the host filesystem.
  • Validate archive contents before calling extractall, stripping out or rejecting symbolic links and absolute paths to prevent path traversal.

Generated by OpenCVE AI on June 24, 2026 at 21:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q6rc-2cgv-63h7 py7zr: Arbitrary File Write Vulnerability
History

Wed, 24 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Description py7zr is a Python-based library and utility to support 7zip archive compression, decompression, encryption and decryption. Versions 1.1.2 and below contain an an arbitrary file write vulnerability, which allows symbolic links to be recreated outside the destination directory via crafted malicious symbolic link chains. When using extractall to extract an archive, the library restores these symbolic links, linking them to arbitrary directories on the host file system. During extraction, the program only checks the link arcname within the destination directory, but ignores the combined symlink path resolution. Attackers can exploit this vulnerability by constructing malicious archives, thereby bypassing the directory boundary restrictions implemented by the extractor. Subsequent extraction of regular files through these symbolic links can result in arbitrary file writes. This vulnerability may lead to remote code execution, privilege escalation, data corruption, or denial of service. This issue has been fixed in version 1.1.3.
Title py7zr: Arbitrary File Write Vulnerability
Weaknesses CWE-59
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T19:17:28.605Z

Reserved: 2026-01-16T21:02:02.900Z

Link: CVE-2026-23879

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T22:00:04Z

Weaknesses
  • CWE-59

    Improper Link Resolution Before File Access ('Link Following')