CVE-2025-42970
MEDIUMSAPCAR >=7.53 <SAP_CAR 7.53 and >=7.22EXT <7.22EXT - Path Traversal via Malicious Archive Extraction
Title source: llmDescription
SAPCAR improperly sanitizes the file paths while extracting SAPCAR archives. Due to this, an attacker could craft a malicious SAPCAR archive containing directory traversal sequences. When a high privileged victim extracts this malicious archive, it is then processed by SAPCAR on their system, causing files to be extracted outside the intended directory and overwriting files in arbitrary locations. This vulnerability has a high impact on the integrity and availability of the application with no impact on confidentiality.
References (2)
Core 2
Core References
Vendor Advisory
https://me.sap.com/notes/3595156
Vendor Advisory
https://url.sap/sapsecuritypatchday
Scores
CVSS v3
5.8
EPSS
0.0015
EPSS Percentile
35.5%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (2)
SAP_SE/SAPCAR
7.22EXT
SAP_SE/SAPCAR
SAP_CAR 7.53
Published
Jul 08, 2025
Tracked Since
Feb 18, 2026