ArchiveFilesV2 impacted by CVE-2025-11001 and CVE-2025-11002 in 7Zip version < 25.xx

[khkbc]

Two newly disclosed vulnerabilities in 7-Zip could allow attackers to execute arbitrary code by tricking users into opening a malicious ZIP archive. The issues, reported October 7 by Trend Micro’s Zero Day Initiative (ZDI), affect multiple builds of the popular open-source compression tool and were quietly fixed in July.

Tracked as CVE-2025-11001 and CVE-2025-11002, the flaws stem from how 7-Zip parses symbolic links within ZIP files. In essence, a crafted archive can escape its intended extraction directory and write files to other locations on the system. When chained, this can escalate to full code execution under the same privileges as the user, which is enough to compromise a Windows environment. Both vulnerabilities carry a CVSS base score of 7.0.

azure-pipelines-tasks/Tasks/ArchiveFilesV2/make.json

Line 6 in a18ff26

"url": "https://vstsagenttools.blob.core.windows.net/tools/7zip/24.09/7zip.zip",

Update of 7Zip towards v25.01 is required to mitigate risks.

Linked to issue: #21400