Platform
dotnet
Component
progress-telerik-ui-for-winforms
Fixed in
2025 Q1 (2025.1.211)
CVE-2025-0332 describes a Path Traversal vulnerability discovered in Progress® Telerik® UI for WinForms. This flaw allows an attacker to potentially decompress archive contents into a restricted directory, leading to unauthorized access or code execution. The vulnerability affects versions prior to 2025 Q1 (2025.1.211), and a fix is available in version 2025.1.211.
The core of this vulnerability lies in the improper limitation of a target path when decompressing archives within Telerik UI for WinForms. An attacker could craft a malicious archive designed to exploit this weakness. By manipulating the path, they could force the application to extract files into a directory where they shouldn't have access, potentially overwriting critical system files or injecting malicious code. Successful exploitation could lead to arbitrary code execution, allowing an attacker to gain control of the affected system. The potential impact is significant, especially in environments where Telerik UI for WinForms is used to process user-supplied data or interact with sensitive resources.
CVE-2025-0332 was publicly disclosed on February 12, 2025. As of this date, no public proof-of-concept (PoC) code has been released. The vulnerability's CVSS score of 7.8 (HIGH) indicates a significant potential for exploitation. It is not currently listed on the CISA KEV catalog. Active exploitation campaigns are not currently confirmed, but the availability of the CVE details increases the risk of future attacks.
Exploit Status
EPSS
0.19% (41% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-0332 is to upgrade to version 2025.1.211 or later. This version includes a fix that properly limits the target path during archive decompression, preventing the vulnerability. If an immediate upgrade is not feasible, consider implementing input validation on any user-supplied data used in archive processing. This can help prevent attackers from crafting malicious archives. Additionally, review and restrict file system permissions to minimize the potential impact of a successful exploit. After upgrading, confirm the fix by attempting to decompress a specially crafted archive with a manipulated path and verifying that the extraction fails with an appropriate error.
Actualice a la versión 2025 Q1 (2025.1.211) o posterior de Telerik UI for WinForms. Esto corregirá la vulnerabilidad de path traversal al descomprimir archivos. Descargue la versión más reciente desde el sitio web de Progress Software.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-0332 is a Path Traversal vulnerability affecting Telerik UI for WinForms, allowing attackers to decompress archives into restricted directories, potentially leading to code execution.
You are affected if you are using Telerik UI for WinForms versions prior to 2025.1.211. Check your version and upgrade accordingly.
Upgrade to version 2025.1.211 or later to resolve the vulnerability. Implement input validation as a temporary workaround if upgrading is not immediately possible.
Active exploitation campaigns are not currently confirmed, but the vulnerability's high severity and public disclosure increase the risk of future attacks.
Refer to the Progress® Telerik® Security Advisory for detailed information and updates: [https://www.telerik.com/security/advisories/CVE-2025-0332](https://www.telerik.com/security/advisories/CVE-2025-0332)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your packages.lock.json file and we'll tell you instantly if you're affected.