7-Zip
7-Zip is a free and open-source file archiver software program designed for creating and extracting compressed archives, renowned for its high compression ratios, especially in its native 7z format which employs LZMA and LZMA2 algorithms.[1] Developed by Russian programmer Igor Pavlov and first released in 1999, 7-Zip operates primarily on Microsoft Windows but officially supports Linux and macOS (console versions) since 2021, alongside ports like p7zip.[1][2][3] The software supports packing and unpacking numerous formats, including 7z, XZ, BZIP2, GZIP, TAR, and ZIP for full operations, while offering extraction-only support for over 20 additional formats such as RAR, CAB, ISO, and NTFS images.[1] Key features include AES-256 encryption for secure archiving, integration with the Windows shell for seamless file management, a built-in file manager, command-line interface, and multilingual support in 87 languages, making it a versatile tool for data compression and backup tasks.[1] Licensed under the GNU Lesser General Public License (LGPL) for most components, with some parts under BSD and unRAR restrictions, 7-Zip remains actively maintained, with the latest stable version 25.01 released on August 3, 2025.[4][5]Development and History
Origins and Creator
7-Zip was created by Igor Pavlov, a freelance software developer known for his work on compression technologies. The project began as an open-source initiative to develop a file archiver with superior compression performance compared to existing tools. Pavlov designed and implemented the core components, including early support for multiple archive formats such as GZIP and TAR.[1] Development of 7-Zip commenced in late 1998, with the initial beta version, labeled 2.00 Beta 1, released on January 2, 1999. This early release focused on basic archiving functions, including compression and extraction for formats like GZIP and TAR, with the stable version fixing bugs related to file path handling. The software was hosted on SourceForge starting in November 2000, facilitating community access and contributions under the GNU Lesser General Public License (LGPL) for most code, with some parts under the BSD 3-Clause License.[3][2] The first stable release, version 2.00, arrived on July 18, 1999, introducing improvements such as enhanced compression and decompression speeds and the addition of command-line options like -mx for compression level control. Pavlov's solo development effort emphasized efficiency and openness, positioning 7-Zip as a free alternative to proprietary archivers. Over the years, he has continued to update the software, incorporating new features while maintaining its lightweight footprint. The 7z archive format, featuring LZMA compression, was introduced in version 3.00 in 2001.[3][1]Release Timeline
7-Zip's development has seen steady releases since its inception, with updates focusing on enhanced compression algorithms, broader format support, security improvements, and platform compatibility. The project maintains a changelog on its official website detailing changes across versions.[3] The following table outlines key stable releases, highlighting major milestones in the timeline:| Version | Release Date | Key Changes and Features |
|---|---|---|
| 2.00 | July 18, 1999 | First stable release with improved compression/decompression speed for GZIP and TAR, fixed direct path compression bug, and added -mx switch for compression level.[3] |
| 4.20 | May 30, 2005 | Minor release with no major changes noted.[3] |
| 4.65 | February 3, 2009 | Added SHA-256 checksum calculation in the File Manager.[3] |
| 9.20 | November 18, 2010 | Support for TAR files larger than 8 GB, improved NSIS and WIM support, partial parsing for EXE resources, and bug fixes.[3] |
| 15.14 | December 31, 2015 | File Manager improvements and added Yoruba localization.[3] |
| 18.06 | December 30, 2018 | LZMA/LZMA2 compression speed increased by 3-10%.[3] |
| 19.00 | February 21, 2019 | Enhanced 7z encryption with 128-bit initialization vectors and improved pseudo-random number generation.[3] |
| 21.07 | December 26, 2021 | Support for VHDX extraction and new command-line switches.[3] |
| 23.01 | June 20, 2023 | ARM64 filter for improved compression on ARM processors, better UDF and cpio support.[6] |
| 24.09 | November 29, 2024 | Added SHA-512, SHA-384, SHA3-256, and MD5 hash support.[3] |
| 25.01 | August 3, 2025 | Improved symbolic link handling for security (addressing CVE-2025-55188) and support for over 64 CPU threads.[6] |
Supported Archive Formats
The 7z Format
The 7z format is an openly documented archive file format developed by Igor Pavlov for use with the 7-Zip archiver, introduced in 1999 to achieve high compression ratios while supporting flexible compression algorithms and strong security features.[7] It employs an open architecture that allows integration of various compression methods, making it extensible for future enhancements without altering the core structure.[8] Unlike traditional formats like ZIP, 7z prioritizes efficiency for large datasets, supporting individual files up to 16 exabytes (16,000,000,000 GB) and Unicode file names for international compatibility.[8] Key features of the 7z format include solid compression, where multiple files are treated as a single continuous data stream to improve overall ratios, and compressed archive headers to reduce metadata overhead.[8] It also incorporates AES-256 encryption for securing contents and passwords, derived using a SHA-256-based key derivation function with multiple iterations to enhance resistance against brute-force attacks.[8] The format's design emphasizes little-endian byte order and variable-length integer encoding for compact representation of sizes and offsets, enabling efficient handling of massive archives.[9]Compression Methods and Filters
The 7z format supports multiple compression algorithms, selected via codec IDs in the archive structure, with LZMA serving as the default for its balance of ratio and speed.[8] LZMA (Lempel–Ziv–Markov chain algorithm) uses an optimized LZ77 variant with a dictionary size up to 4 GB, achieving compression speeds of 2–8 MB/s and decompression speeds of 30–100 MB/s on a 4 GHz CPU, while requiring minimal decompression code (~5 KB).[8] LZMA2 extends this with multithreading support and better handling of incompressible data. Other methods include PPMd (prediction by partial matching with Dmitry Shkarutski's PPMdH variant), BZip2 (Burrows–Wheeler transform), and a copy method for uncompressed storage.[8] Pre-processing filters enhance compression for specific data types by rearranging or transforming streams before the main codec:| Filter ID | Description | Target Data Type |
|---|---|---|
| BCJ (0x03030103) | Converts 32-bit x86 calls/jumps to relative offsets | x86 executables |
| BCJ2 (0x0303011B) | Branch-call-jump filter for improved x86 handling | x86 executables |
| ARM (0x03030105) | ARM Thumb decompressor | ARM executables |
| ARM64 (0x03030107) | ARM64 filter | ARM64 executables |
| PPC (0x03030201) | PowerPC filter | PowerPC executables |
| IA64 (0x03030104) | Itanium filter | IA64 executables |
| SPARC (0x03030106) | SPARC filter | SPARC executables |
| RISCV (0x03030108) | RISC-V filter | RISC-V executables |
| Delta (0x03) | Byte-level delta encoding | Audio/WAV files |
| Swap2/Swap4 (0x04/0x05) | Endianness swapping for 16/32-bit values | Multi-byte data |
File Structure
A 7z archive begins with a fixed 32-byte Signature Header for identification and integrity: the magic bytes{'7', 'z', 0xBC, 0xAF, 0x27, 0x1C} (version 0.04), followed by CRC-32 of the Start Header, offset to the next header (UINT64), its size (UINT64), and CRC-32.[9] After the Start Header, the main body consists of the packed data streams (compressed file contents), followed by the End Header, which contains the (possibly encoded) main Header describing the archive contents and using a stream of Property IDs (e.g., 0x01 for Header, 0x06 for PackInfo).[9]
The Header organizes data into PackInfo (packed stream sizes and CRCs), CodersInfo (compression folders with codec IDs, properties, and stream bindings), and SubStreamsInfo (unpacked sizes and folder CRCs).[9] FilesInfo details the unpacked files, including counts, empty file flags, and properties like names (0x01 ID, UTF-16LE encoded), timestamps (CTime/ATime/MTime as 64-bit Windows FILETIME), and attributes (Win32 flags).[9] Packed streams are divided into folders, each processing input streams via specified coders (e.g., LZMA ID 0x030101) with properties like dictionary size, and bind pairs to link output to input streams of subsequent coders.[9] For encrypted archives, the header itself may be packed and encoded, using the same AES-256 mechanism with a header-specific key derived from the password.[9]
This modular structure allows 7z archives to remain compact and verifiable, with CRC-32 checksums ensuring data integrity across streams and the entire archive.[9]
Additional Formats
7-Zip provides extensive support for numerous archive formats beyond its native 7z format, enabling users to create, extract, and manage files across various compression standards commonly used in computing. This versatility stems from the software's design as a free, open-source utility that integrates with established file archiving protocols, allowing seamless interoperability with other tools and systems.[1] For formats that support both packing (creation) and unpacking (extraction), 7-Zip handles XZ, BZIP2, GZIP, TAR, ZIP, and WIM archives. These include widely adopted standards like ZIP, which is ubiquitous in cross-platform file sharing due to its balance of compression efficiency and compatibility, and GZIP, often used for web content and Unix-based data streams. TAR serves as a foundational container for bundling files, frequently combined with compression methods like GZIP or BZIP2 in these implementations. WIM, specific to Windows imaging, facilitates deployment and backup operations in Microsoft environments. This dual support ensures 7-Zip can serve as both a compressor and decompressor in workflows involving these formats.[1] In addition to creation capabilities, 7-Zip offers read-only unpacking for an even broader array of formats, including APFS (Apple File System images), AR (Debian package archives), ARJ (an older compression format), CAB (Microsoft Cabinet files), CHM (Compiled HTML Help files), CPIO (Unix tape archives), CramFS (compressed read-only file systems), DMG (macOS disk images), EXT (Linux file systems), FAT (File Allocation Table), GPT (GUID Partition Table), HFS (Hierarchical File System for macOS), IHEX (Intel HEX files), ISO (optical disc images), LZH (Lempel-Ziv-Huffman compression), LZMA (Lempel-Ziv-Markov chain algorithm streams), MBR (Master Boot Record), MSI (Windows Installer packages), NSIS (Nullsoft Scriptable Install System), NTFS (New Technology File System), QCOW2 (QEMU Copy-On-Write version 2 images), RAR (Roshal Archive, a proprietary format), RPM (Red Hat Package Manager), SquashFS (compressed read-only file system for Linux), UDF (Universal Disk Format), UEFI (Unified Extensible Firmware Interface images), VDI (VirtualBox disk images), VHD (Virtual Hard Disk), VHDX (enhanced Virtual Hard Disk), VMDK (VMware disk images), XAR (eXtensible ARchive for macOS), Z (Unix compress format), and ZSTD (Zstandard archives). This read-only access is particularly valuable for extracting legacy or specialized files without needing proprietary software, such as unpacking RAR archives—a format dominant in multimedia distribution—or ISO images for software installation media. By supporting these, 7-Zip acts as a universal extractor, reducing dependency on multiple specialized tools.[1] The inclusion of file system and disk image formats like NTFS, FAT, EXT, APFS, HFS, and various virtual disk types (VDI, VHD, VMDK) extends 7-Zip's utility to mounting and browsing virtual environments or forensic analysis scenarios, though limited to extraction rather than full manipulation. Similarly, support for package formats such as RPM, DEB-related AR, and MSI aids in software distribution and installation verification. Overall, this comprehensive format compatibility, updated across versions to maintain relevance, underscores 7-Zip's role as a robust, no-cost alternative in file management ecosystems.[1]User Interface and Tools
Graphical File Manager
The 7-Zip File Manager serves as the primary graphical user interface (GUI) for the 7-Zip archiver, providing a dual-panel windowed application for file and archive management on Windows systems. It enables users to browse local and network folders, manipulate files, and perform compression and extraction tasks without relying on the command line. The interface integrates seamlessly with the Windows shell, allowing context menu access from Explorer, and supports keyboard shortcuts for efficient navigation. As of version 25.01, it includes localizations for 87 languages.[1] The main window features two side-by-side panels, switchable via the Tab key, displaying file lists in formats such as large icons, small icons, list, or details view (toggleable with Ctrl+1 through Ctrl+4). Navigation includes access to root-level items like Computer (for drives), Documents (user's My Documents), Network, and low-level disk access via \. for viewing partitions or copying ISO files (requiring administrator rights for certain operations). Users can refresh views (Ctrl+R), sort by name, type, date, or size (Ctrl+F3 for name), and manage selections with options like select all (Shift+Grey+), deselect all (Shift+Grey-), or invert (Grey*). The toolbar provides quick buttons for common actions, including opening files (Enter), renaming (F2), creating folders (F7), and viewing properties (Alt+Enter). Recent updates include improved drag-and-drop support (added in version 23.00).[1][10] Archive operations are central to the File Manager's functionality, with dedicated tools for creating, extracting, and editing archives directly in the GUI. To create an archive, users select files or folders and click the "Add" button, opening a dialog to specify format (e.g., 7z, ZIP), compression level, method (LZMA, LZMA2), dictionary size, and encryption options like AES-256 passwords. Extraction uses the "Extract" button or drag-and-drop, supporting formats such as 7z, ZIP, RAR, TAR, GZIP, and many others for unpacking, with prompts for large-memory RAR files. Additional features include splitting files into volumes, combining split archives, self-extracting archive creation, and benchmarking compression/decompression speeds via the Tools menu to assess hardware performance. In version 24.04, a new "Tools / Delete Temporary Files..." menu item was added for managing temporary files. Drag-and-drop within panels avoids temporary files for extractions, enhancing efficiency.[1][10] Customization options are accessible through the Tools > Options dialog, allowing users to integrate 7-Zip into shell context menus (with cascading or icon support), associate file extensions (e.g., .7z, .zip) for current or all users, and set temporary folder paths for archives. The interface supports real file icons, full row selection, grid lines, and single-click opening, with toggles for system menu integration and large memory pages on compatible systems (1 GB+ RAM, Windows XP x64 or later). Language selection from 87 available localizations is also configurable, ensuring accessibility across regions. In version 22.00, the "Options" window in "Add to archive" added metadata selection and an option to not change source files' last access time. Plugins for extended functionality, such as additional format support, can be loaded via the options.[1][10]Command-Line Interface
The command-line interface (CLI) of 7-Zip is provided by the executable7z.exe, which serves as a powerful tool for archiving and compression tasks directly from the terminal or scripts. It leverages the core 7z.dll library from the 7-Zip package, enabling operations on a wide range of archive formats including 7z, ZIP, GZIP, BZIP2, and others. Unlike the graphical user interface, the CLI emphasizes automation, scripting, and integration into batch processes, supporting features like recursion, password protection, and multi-volume archives. As of version 25.01, it supports absolute pathnames and simplified syntax for adding folders.[1][10]
The general syntax for 7z.exe follows the structure 7z <command> [<switches>] <archive_name> [<files>], where the command specifies the operation, switches modify behavior, and arguments include wildcards, filenames, or list files (denoted as @filename). Commands are case-insensitive, and wildcards such as * (for any characters) and ? (for single characters) allow flexible file selection; if no files are specified, all files in the current directory are processed by default. This syntax supports piping input/output via -si (standard input) and -so (standard output) for advanced scripting.[1]
Key commands include:
- a (Add): Adds files or folders to a new or existing archive, supporting recursion with the
-rswitch. For example,7z a -t7z archive.7z *.doc -mx9creates a highly compressed 7z archive of all.docfiles using maximum compression level. It can also generate self-extracting archives with-sfx.[1] - d (Delete): Removes specified files from an archive without altering others, useful for maintenance. Syntax:
7z d archive.7z unwanted.txt.[1] - e (Extract): Extracts files from an archive to the current directory, ignoring full paths (use
xfor path preservation). Example:7z e archive.7z -oC:\outputextracts to a specified folder.[1] - l (List): Displays the contents of an archive, including sizes, dates, and attributes.
7z l archive.7zprovides a detailed verbose listing.[1] - t (Test): Verifies the integrity of an archive by checking for corruption or errors.
7z t archive.7zreports any issues found.[1] - u (Update): Adds, replaces, or deletes files in an existing archive based on timestamps or criteria. Example:
7z u archive.7z newfile.txtupdates if newer.[1]
b (Benchmark) test compression/decompression speeds on the system, and h (Hash) computes checksums for files.[1]
Essential switches enhance functionality across commands. The -mx[<value>] switch sets compression level (0 for store only, 9 for ultra), balancing speed and ratio—e.g., -mx9 achieves the highest compression but is CPU-intensive. The -p<password> switch enables AES-256 encryption for secure archives. Output directory is controlled via -o<directory>, recursion with -r, and exclusions with -x!<pattern> (e.g., -x!.git skips Git folders). Archive type is specified by -t{type} (default 7z), and volumes with -v<size> for splitting large files. The -y switch assumes "yes" to all prompts for non-interactive use, ideal for scripts. Recent additions include switches like -myv, -myfa, -myfd for 7z archive compatibility and filter control (version 24.05). Exit codes (0 for success, 1 for warning, 2+ for errors) allow error handling in automation.[1][10]
A standalone variant, 7za.exe, operates independently without external DLLs, supporting only core formats like 7z, ZIP, GZIP, BZIP2, TAR, and CAB, making it suitable for minimal environments or portable use. While primarily designed for Windows, the CLI is adaptable via ports like p7zip for Unix-like systems, maintaining similar syntax.[1]
Core Features
Compression Algorithms
7-Zip incorporates multiple compression algorithms to support efficient data reduction across various archive formats, with a focus on achieving high ratios while balancing speed and resource usage. The software's core strength lies in its implementation of advanced methods like LZMA and LZMA2 for the proprietary 7z format, alongside support for established algorithms such as PPMd, BZip2, and Deflate for compatibility with other formats. These algorithms are selected based on the target archive type, file characteristics, and user-specified options, allowing flexibility in compression levels from store (no compression) to ultra.[8][1] The default and most prominent algorithm in 7-Zip is LZMA (Lempel–Ziv–Markov chain algorithm), an optimized variant of the LZ77 dictionary-based method enhanced with range encoding and adaptive probability modeling via Markov chains. LZMA excels in providing high compression ratios, particularly for binary and mixed data, with support for dictionary sizes up to 4 GB to handle large files effectively. On a 4 GHz CPU, it achieves compression speeds of 2-8 MB/s in fast mode and decompression speeds of 30-100 MB/s, while requiring only about 5 KB for the decompressor code, making it suitable for embedded applications. LZMA is the general-purpose method for 7z archives and is also available for ZIP and other formats.[8][11] LZMA2 builds upon LZMA by introducing multithreading support, which parallelizes compression across multiple CPU cores for improved performance on modern hardware without sacrificing ratio. It serves as the recommended method for 7z and XZ formats in multithreaded scenarios, offering better efficiency for large datasets while maintaining fast single-threaded decompression. LZMA2 also includes enhancements for handling incompressible blocks, reducing overhead in mixed-content archives. This algorithm is particularly impactful for high-performance archiving, as it can leverage 4 or more cores to accelerate processing while achieving compression ratios comparable to or better than LZMA.[8][11] For text-heavy files, 7-Zip utilizes PPMd (Prediction by Partial Matching, version d), an implementation based on Dmitry Shkarin's PPMdH algorithm with minor modifications. PPMd employs context-based statistical modeling to predict and encode symbols, yielding excellent ratios for plain text and similar structured data, often outperforming LZMA on such inputs. It supports configurable order and memory usage, with strong performance in solid archiving modes where files are compressed together for better entropy exploitation. PPMd is supported in 7z, ZIP, and other formats, providing a specialized option when maximum text compression is prioritized over speed.[8] BZip2, based on the Burrows-Wheeler transform followed by Huffman coding and run-length encoding, is integrated for broader format compatibility and as an alternative in 7z archives. This algorithm sorts data to group similar characters, enhancing compressibility for repetitive or sorted content, though it generally offers lower ratios than LZMA for general use. 7-Zip's BZip2 implementation supports dictionary sizes up to 900 KB and multithreading, making it viable for standalone .bz2 files or within multi-method archives. It is particularly useful for scenarios requiring adherence to standards like those in TAR.BZ2.[8] Deflate, the standard algorithm for ZIP and GZIP formats, combines LZ77 sliding-window matching with Huffman coding for dynamic entropy reduction. 7-Zip enhances Deflate with higher compression levels and extended variants like Deflate64, achieving 2-10% better ratios than typical implementations. This method prioritizes compatibility and moderate speed, with compression levels adjustable from 1-9, and is essential for interoperability with legacy systems. Additionally, 7-Zip supports uncompressed storage via the Copy method for files where reduction is unnecessary.[1] To further optimize ratios, 7-Zip applies filters as preprocessors to the main algorithms, transforming data streams for better compressibility. These include BCJ and BCJ2 for x86 executables (reordering calls and jumps), ARM/ARMT/ARM64 for ARM binaries, PPC for PowerPC, SPARC, IA64 for respective architectures, Delta for delta-encoded data like WAV audio, and byte-swapping filters like Swap2/Swap4. Filters are format-specific, primarily enhancing 7z and XZ compression by up to 20-30% for executable-heavy archives without altering the core algorithm.[8]| Archive Format | Supported Compression Methods | Key Notes |
|---|---|---|
| 7z | LZMA, LZMA2, PPMd, BZip2, Deflate, Copy | LZMA/LZMA2 default; filters available for optimization. |
| ZIP | Deflate, Deflate64, BZip2, LZMA, PPMd, Copy | Multithreading and encryption supported. |
| GZIP | Deflate | Levels 1-9; fast bytes and passes configurable. |
| BZIP2 | BZip2 | Standalone; dictionary up to 900 KB. |
| XZ | LZMA2 | Filters and solid mode enabled. |
Encryption Capabilities
7-Zip supports robust encryption primarily through the AES-256 algorithm, which is applied to both the 7z and ZIP archive formats.[1] This encryption secures file contents by generating a 256-bit cipher key derived from a user-provided password, ensuring that archived data remains protected against unauthorized access.[8] In the 7z format, encryption extends to the archive headers, allowing file names and metadata to be obscured when the "-mhe=on" option is used during compression.[12] The key derivation function relies on the SHA-256 hash algorithm, performing a high number of iterations—specifically 524,288 (2^19)—to derive the encryption key from the password, thereby increasing resistance to brute-force attacks by elevating the computational cost of password guessing.[13] Unlike some modern standards, this process does not incorporate a random salt, which can make identical passwords produce the same key across archives, potentially aiding attackers in targeted scenarios.[14] For ZIP archives, 7-Zip implements AES-256 encryption for file contents, offering a significant improvement over the legacy ZipCrypto method, which is weaker and discouraged for security-sensitive uses.[1] However, ZIP format limitations prevent encryption of file names and headers in 7-Zip, leaving metadata visible even in password-protected archives.[15] Users can select AES-256 explicitly in the graphical interface or via command-line options like "-mhe" for compatible elements, ensuring compatibility with other tools supporting the WinZip AES extension.[12] The encryption process operates in Cipher Block Chaining (CBC) mode with a unique initialization vector per file, preventing identical plaintexts from producing identical ciphertexts and enhancing overall security.[16] Self-extracting (SFX) archives in 7z format also support this encryption, allowing password-protected executables that unpack only upon correct authentication.[1]Security Considerations
Known Vulnerabilities
7-Zip, like many archive utilities, has faced vulnerabilities primarily in its file parsing and decompression routines, which can lead to remote code execution (RCE), denial-of-service (DoS), or privilege escalation when processing malicious archives. These issues often stem from insufficient input validation in supported formats such as 7z, ZIP, RAR, and Zstandard, requiring user interaction like opening a crafted file. The software's open-source nature allows for community scrutiny, but exploitation has been reported in real-world attacks, particularly targeting Windows installations. A notable early vulnerability, CVE-2018-10115, involved a heap-based buffer overflow in the RAR unpacking code, enabling memory corruption and potential RCE via specially crafted RAR archives. This flaw affected versions prior to 18.05 and was fixed in that release by improving boundary checks during decompression. Exploitation required convincing a user to extract the malicious archive, but it highlighted risks in legacy format handling.[3] In 2023, multiple high-severity issues emerged in versions before 23.00. CVE-2023-31102 was an integer underflow in the PPMd7.c component during 7z archive parsing, allowing invalid memory reads and potential RCE through crafted files. Similarly, CVE-2023-40481 involved an out-of-bounds write in the SquashFS file parsing, also enabling RCE by overwriting heap memory. Both were addressed in 7-Zip 23.00 with enhanced validation routines, and they were disclosed via the Zero Day Initiative. These vulnerabilities underscored the dangers of complex compression algorithms like PPMd and SquashFS parsing.[17][18][3] More recently, in 2024, CVE-2024-11477 affected Zstandard decompression in versions up to 24.06, causing an integer underflow that permitted arbitrary memory writes and RCE. Attackers could exploit this by tricking users into decompressing a malicious .zst file, with a CVSS score of 7.8 (High). The issue was patched in 24.07 by adding proper data validation.[19][20][3] In 2025, several critical flaws were identified. CVE-2025-0411, a Mark-of-the-Web (MotW) bypass in versions before 24.09, allowed attackers to evade Windows security zones by extracting files from crafted archives without inheriting zone identifiers, facilitating malware distribution like SmokeLoader. Rated at CVSS 7.0 (High), it was actively exploited in targeted campaigns against Ukrainian organizations and fixed in 24.09.[21][22][23] Directory traversal vulnerabilities CVE-2025-11001 and CVE-2025-11002, both with CVSS 7.0, enabled RCE in ZIP parsing by mishandling symbolic links in crafted archives, allowing extraction outside intended directories in versions before 25.00. Disclosed by the Zero Day Initiative, these were mitigated in 25.00 through path canonicalization and symlink blocking. Additionally, CVE-2025-53816 involved a heap buffer overflow in the RAR5 handler, leading to DoS via memory corruption in pre-25.00 versions, fixed by correcting buffer management.[24][25][26][3] Overall, 7-Zip's developers have consistently released patches in response to these disclosures, often within weeks, emphasizing the importance of keeping the software updated to prevent exploitation. Users are advised to avoid extracting untrusted archives and enable sandboxing where possible.[3]Patches and Best Practices
7-Zip developers have issued patches for multiple vulnerabilities primarily affecting archive decompression and extraction, often involving buffer overflows, crashes, or bypasses that could enable remote code execution or path traversal. In version 24.07, released on June 19, 2024, a fix was implemented for CVE-2024-11477, which addressed crashes triggered by malformed Zstandard (ZSTD) archives during decompression, potentially allowing arbitrary code execution if users processed untrusted files.[3] This vulnerability, rated critical with a CVSS score of 7.8, highlighted risks in handling compressed data from external sources. Subsequent updates continued to bolster security. Version 24.08, dated August 11, 2024, resolved CVE-2024-11612, covering unspecified bugs that could compromise stability and lead to exploitation in archive processing.[3] Version 24.09, released November 29, 2024, patched CVE-2025-0411, a high-severity issue enabling attackers to bypass Windows' Mark-of-the-Web (MotW) security feature via crafted archives, facilitating malware distribution like SmokeLoader without triggering warnings.[27] In version 25.00 from July 5, 2025, fixes targeted CVE-2025-53816 (issues with incorrect RAR archives) and CVE-2025-53817 (crashes in COM archive handling), preventing potential denial-of-service or code execution scenarios.[3] The most recent patch in version 25.01, on August 3, 2025, mitigated CVE-2025-55188 by enhancing symbolic link handling during extraction to block path traversal attacks, with an optional -snld switch introduced to override default protections for advanced users.[3] Older but significant patches include version 18.05's resolution of CVE-2018-10115 in RAR unpacking code, which could cause heap-based buffer overflows, and version 16.03's safeguards against DLL preloading attacks in the installer and self-extracting (SFX) modules.[3] These updates underscore 7-Zip's ongoing efforts to address flaws in supported formats like ZIP, RAR, and 7z, often disclosed through coordinated vulnerability reporting. To minimize risks, users should maintain 7-Zip at the latest version, downloadable exclusively from the official website to avoid tampered distributions.[1] When creating encrypted archives with AES-256 support, employ strong, unique passwords—at least 12 characters mixing letters, numbers, and symbols—and share them via separate, secure methods like phone calls rather than emailing alongside the file, reducing interception risks during transit.[28] Always verify the integrity of downloaded archives using checksums provided on the official site. Prior to extraction, scan files with up-to-date antivirus software, as malicious archives can exploit decompression flaws even in patched versions if content is rigged for evasion.[27] Refrain from processing archives from untrusted or unknown sources, and consider disabling automatic extraction or using isolated environments like virtual machines for high-risk files.[29] Organizations should implement regular patching protocols, audit installations for outdated versions, and monitor endpoints for anomalous behavior post-extraction, such as unexpected process launches.[21] These practices align with broader cybersecurity guidelines for handling compressed files.[30]Software Ecosystem
Main Versions and Platforms
7-Zip's development has progressed through numbered releases since its inception in 1999, with the current stable version being 25.01, released on August 3, 2025.[6] Earlier major versions include 23.01 from June 20, 2023, which introduced improvements in multi-threading for compression, and 19.00 from February 21, 2019, focusing on enhanced support for Unicode and larger file handling.[6] These releases typically emphasize optimizations in compression algorithms, bug fixes, and expanded format compatibility, with updates occurring irregularly based on developer Igor Pavlov's contributions under the GNU LGPL license.[8] The software's versioning scheme uses a year-month format for minor updates, such as 16.04 from October 4, 2016, which added better integration with Windows shell extensions.[6] Older versions like 9.20 from November 18, 2010, remain available for legacy systems but lack support for modern hardware accelerations.[6] Source code for all versions is provided, allowing compilation for custom needs, and the LZMA SDK enables integration of core compression tools into other applications.[11] 7-Zip is primarily designed for Microsoft Windows, supporting a wide range of editions from Windows XP through Windows 11, including both 32-bit and 64-bit architectures, as well as ARM64.[1][31] It offers full graphical user interface (GUI) functionality via integration with Windows Explorer, alongside standalone executable and MSI installer options.[6] For server environments, compatibility extends to Windows Server 2022, 2019, 2016, 2012, 2008, and 2003.[1] Cross-platform support has expanded in recent versions, with console-only builds available for Linux (32-bit x86, 64-bit x86-64, 32-bit ARM, 64-bit ARM64) and macOS (x86-64 and ARM64).[6] These builds, distributed as .tar.xz archives, provide command-line access to compression and extraction without a native GUI, replacing the need for the obsolete p7zip port for Unix-like systems.[32] Additionally, 7-Zip can be compiled from source for other platforms like BSD and ReactOS, though official binaries are limited to Windows, Linux, and macOS.[6]| Platform | Supported Architectures | Interface Type | Distribution Format |
|---|---|---|---|
| Windows | x86 (32-bit), x64 (64-bit), ARM64 | GUI and Console | .exe, .msi, .7z |
| Linux | x86 (32-bit), x86-64 (64-bit), ARM (32/64-bit) | Console | .tar.xz |
| macOS | x86-64, ARM64 | Console | .tar.xz |
Forks and Derivatives
Several forks and derivatives of 7-Zip have emerged to extend its functionality, add support for additional codecs, or tailor it to specific platforms and use cases. These projects leverage the open-source nature of 7-Zip's code under the GNU LGPL license, often incorporating enhancements like modern compression algorithms or improved user interfaces.[32] One prominent derivative is p7zip, an early port of 7-Zip's command-line interface for Linux and Unix-like systems, developed independently to enable archiving capabilities on non-Windows platforms. Released up to version 16.02, p7zip has become largely obsolete following 7-Zip's native Linux support starting in version 21.01, though it persists in some legacy environments due to its established integration.[32][33] Active forks of p7zip continue development, addressing outdated components and adding contemporary features. The p7zip-project fork integrates codecs such as Zstandard (v1.5.2), LZ4 (v1.9.3), Brotli (v1.0.9), and others, alongside multithreading improvements via the zstdmt library, making it suitable for Unix-like systems requiring high-performance compression. Similarly, the fork by jinfeihan57 enhances p7zip with additional codecs and bug fixes, maintaining compatibility with 7-Zip's core architecture while supporting modern hardware. Both forks are command-line focused and actively maintained as of 2023.[34][35] NanaZip represents a Windows-centric fork aimed at enhancing the user experience on modern versions like Windows 10 and 11. It incorporates elements from 7-Zip 24.09, 7-Zip ZS, and 7-Zip NSIS, adding features such as dark mode, Mica visual effects, MSIX packaging, and extended context menu integration. NanaZip also supports advanced hash algorithms (e.g., SHA-256) and codecs like Brotli and Zstandard, with built-in security measures including Control Flow Guard. Available via the Microsoft Store and GitHub, it targets users seeking a polished graphical interface without sacrificing 7-Zip's compression efficiency.[36] Another notable fork is 7-Zip ZS (also known as 7-Zip-zstd), which extends the original with support for high-ratio codecs including Zstandard, Brotli, Fast-LZMA2, LZ4, LZ5, and Lizard. This derivative emphasizes improved compression for diverse data types, using a multithreading library for better performance on multi-core systems. Primarily command-line based but compatible with graphical wrappers, it remains under active development and is distributed through GitHub releases for Windows and other platforms.[37][38] Niche derivatives include torrent7z, a specialized variant designed to produce deterministic .7z archives optimized for torrent distribution, ensuring byte-for-byte consistency across builds to facilitate seeding and verification in peer-to-peer networks. This fork modifies 7-Zip's compression process for reproducibility, primarily targeting content preservation in archiving communities.[39]Plugins and Extensions
7-Zip supports extensibility through plugins that enhance its functionality, primarily by adding support for additional file formats, compression algorithms, and specialized tools. These plugins are typically developed by third parties and integrate with the 7-Zip DLL, allowing seamless operation within the archiver's interface. The official 7-Zip distribution includes a dedicated plugin for the FAR Manager file manager, which enables users to handle archives directly within FAR as if they were folders, supporting operations like extraction and updates for formats such as ZIP, RAR, GZIP, and TAR.[6][40] A prominent source of community-developed plugins is TC4Shell, which offers a collection of free extensions designed to expand 7-Zip's capabilities without modifying the core software. These plugins are installed by placing DLL files in the 7-Zip plugins directory and can be managed via the program's options menu.[32][41] Key plugins from TC4Shell include:- Modern7z (version 1.9.1): Integrates modern compression algorithms into 7-Zip, such as Zstandard (v1.5.6) and Brotli (v1.1.0), enabling higher compression ratios and faster processing for supported formats. Last updated August 20, 2024.
- Iso7z (version 1.8.7): Allows direct extraction of files from disc image formats like ISO and NRG without mounting the image, streamlining access to archived media content. Last updated July 17, 2023.[42]
- Asar7z (version 1.5): Provides support for Electron's ASAR (Atom Shell Archive) format, permitting the opening, creation, and modification of these archives commonly used in desktop applications. Last updated November 14, 2023.
- eDecoder (version 1.20.8): Facilitates handling of email and web archive files, including EML, MBOX, and MHTML, with options to extract or encode content for analysis. Last updated September 2, 2023.
- WinCryptHashers (version 1.4): Adds cryptographic hashing tools, computing checksums like MD5 and SHA-512, and generating verification files to ensure file integrity during archiving. Last updated January 29, 2024.
- Forensic7z (version 1.6): Enables browsing of forensic disk images in formats such as E01 and AFF, useful for digital investigations by preserving chain-of-custody metadata. Last updated December 31, 2021.