Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.1
Zdir Pro 4.x Allows Malicious Files to be Written Outside Intended Directory
CVE-2025-66945
Summary
A security flaw in Zdir Pro's ZIP extraction feature allows hackers to write files in unintended locations. This could lead to data loss or unauthorized access to sensitive information. Update to the latest version of Zdir Pro to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| zdir | zdir | > 4.1.1 , <= 4.6.2 | – |
Original title
A path traversal vulnerability exists in the ZIP extraction API of Zdir Pro 4.x. When a crafted ZIP archive is processed by the backend at /api/extract, files may be written outside the intended di...
Original description
A path traversal vulnerability exists in the ZIP extraction API of Zdir Pro 4.x. When a crafted ZIP archive is processed by the backend at /api/extract, files may be written outside the intended directory, leading to arbitrary file overwrite and potentially remote code execution
nvd CVSS3.1
9.1
Vulnerability type
CWE-787
Out-of-bounds Write
- https://github.com/kaliworld/Zdir-Pro-Zip-slip-vulnerability/ Exploit Third Party Advisory Mitigation
- https://zeroday.endlessparadox.com/posts/cve-2025-66945/ Exploit Third Party Advisory
Published: 3 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026