Update bundled 7zip executables to v25.01

[nagten]

Checklist

• I have verified this is the correct repository for opening this issue.
• I have verified no other issues exist related to my request.

Is Your Feature Request Related To A Problem? Please describe.

There is a CVE (CVE-2025-55188) associated with 7-zip, which has been addressed in version 25.01.

Describe The Solution. Why is it needed?

Update the embedded 7-zip binaries to the latest version, and ship a new release of Chocolatey CLI.

Additional Context

See https://nvd.nist.gov/vuln/detail/CVE-2025-55188 and https://github.com/ip7z/7zip/releases

Related Issues

#3779

[github-actions]

To vote for this issue, please add a 👍 emoji to the issue description. Votes in comments are not recorded.

[pauby]

We're currently investigating this, including the severity of the issue and the implications for packages.

[t-h-e-c-h-e-f]

@pauby Any movement on this issue?

7zip vulns in Chocolatey is something that comes up repeatedly, and it certainly doesn't take two weeks to add the updated binaries and ship a new version.

Is there a more automated fashion that can be used to populate updated 7zip binaries when they are released? This would be helpful, because as it stands currently, Chocolatey continues to show up on audits for 7zip remediation that is available, just not bundled with Chocolatey.

Thanks!

[pauby]

7zip vulns in Chocolatey is something that comes up repeatedly,

I don't believe that is the case. Can you elaborate on this with more information?

and it certainly doesn't take two weeks to add the updated binaries and ship a new version.

I didn't say that is what we were doing. I said:

We're currently investigating this, including the severity of the issue and the implications for packages.

Is there a more automated fashion that can be used to populate updated 7zip binaries when they are released? This would be helpful, because as it stands currently, Chocolatey continues to show up on audits for 7zip remediation that is available, just not bundled with Chocolatey.

Just to reiterate what I said above, I didn't say we were shipping a new version, automation is not a factor.

When an issue like this is discovered, we perform a thorough review to determine if product(s) are actually affected.

[jmarshbdo]

7zip vulns in Chocolatey is something that comes up repeatedly,

I want to chime in with my $0.02 here as someone who has been negatively impacted by 7zip CVEs within Chocolatey.

The CVE relative to this issue was opened 20 days ago, and is for the 7zip third party binaries.

What that means is that this vulnerability exists on every Windows system running Chocolatey, and compliance scanners like Tenable, Qualys, etc have picked this up as both requiring remediation, and able to remediate by upgrading 7zip to >=25.01. So the clock has been ticking.

With a relatively low score of 3.6, compliance policies are such that it's not an emergency, but that it's expected to be remediated within 30 days.

I don't believe that is the case. Can you elaborate on this with more information?

I tend to agree with the previous commenter. This is the third time in recent memory that things are coming down to the wire with a 7zip vulnerability that has impacted Chocolatey, which could be remediated by committing the two new 7zip binaries, along with the license file, and changing the version number in the credits, and pester test. Due diligence is, of course, of the utmost importance. However, how much due diligence is actually going to be performed on 7zip, a piece of third party software that is being bundled with Chocolatey?

I see no reason that this shouldn't have been updated and a new release published as soon as 25.01 was available.