Directory Traversal Vulnerability in SAPCAR by SAP
CVE-2025-42970

5.8MEDIUM

Key Information:

Vendor: SAP
Status: SAPcar
Vendor: CVE Published:; 8 July 2025

What is CVE-2025-42970?

SAPCAR contains a flaw in its handling of file paths during the extraction of SAPCAR archives. This flaw allows attackers to create malicious archives with directory traversal sequences. When an unsuspecting user with elevated privileges extracts such an archive, it can lead to the extraction of files outside the designated directories, potentially overwriting critical files in arbitrary locations on the system. This vulnerability poses significant risks to the integrity and availability of the application, as it enables unauthorized access to system resources.

Affected Version(s)

SAPCAR SAP_CAR 7.53

SAPCAR 7.22EXT

References

https://me.sap.com/notes/3595156

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

5.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 8, 2025
Vulnerability Reserved
Apr 16, 2025