Skip to content
feed: live about
>_ 0dayNews
CVE Record
[ HIGH ] CVE-2023-38831

WinRAR Path Traversal / Spoofed File Extension Code Execution

A vulnerability in RARLAB's WinRAR allows a crafted archive to execute arbitrary code when a user attempts to view what appears to be an innocuous file (e.g. a .jpg) inside the archive — a decoy folder with a matching name masks a malicious script that runs instead.

cat cve-2023-38831.json
Vendor
RARLAB
Product
WinRAR
CVSS
7.8
Status
kev
Published

CVE-2023-38831 is a code-execution vulnerability in WinRAR, the widely used Windows archive utility from RARLAB, patched in version 6.23 released August 2, 2023 and formally disclosed August 23, 2023. Researchers found that specially crafted ZIP archives could be built so that double-clicking what looked like a harmless file (such as a .jpg) inside the archive preview would instead execute a hidden malicious script, due to how WinRAR handled a decoy folder sharing the same name as the spoofed file.

Why it mattered

WinRAR is installed on hundreds of millions of Windows machines, many with automatic update prompts routinely dismissed by users — a huge, slow-patching install base is exactly the profile threat actors look for. Security researchers reported observing exploitation of this flaw in the wild in campaigns targeting cryptocurrency and stock trading forums even before the technical details were widely publicized, distributing malicious archives disguised as trading tools or account documents.

RARLAB’s fix in 6.23 changed how the archive-preview handling resolves file paths to prevent the spoofing. CISA added the CVE to its KEV catalog given confirmed active exploitation. Because WinRAR has no auto-update mechanism by default, remediation guidance emphasized manual upgrade to 6.23 or later. Full technical detail is in RARLAB’s release notes and at the NVD link above.