7-Zip 25.00 Adds 64+ Thread Support and Security Fixes

Figure 1: Visual representation of the BeyondTrust vulnerability chain

Igor Pavlov released 7-Zip version 25.00 on July 5, 2025, marking a significant update to the widely used open-source file archiver. The release removes a longstanding limitation that prevented the Windows version from utilizing more than 64 CPU threads during compression operations. Systems with high core counts can now leverage their full processing capacity when creating zip, 7z, and xz archives.

The update also delivers performance improvements for bzip2 compression, with speed increases ranging from 15 to 40 percent depending on the workload. Deflate compression used in zip and gzip formats sees more modest gains of 1 to 3 percent.

Two security vulnerabilities received patches in this release. CVE-2025-53816 addresses incorrect handling of certain malformed RAR archives, while CVE-2025-53817 fixes a crash condition triggered by malformed COM archives. Both issues could cause the application to behave incorrectly or terminate unexpectedly when processing specially crafted archive files.

7-Zip remains one of the most downloaded compression utilities, with the SourceForge project recording hundreds of millions of downloads over its two-decade history. The software supports a wide range of archive formats and is frequently bundled with development toolchains and system administration utilities. Organizations using 7-Zip for automated archive processing should evaluate the security fixes, particularly those handling archives from untrusted sources.

On July 5, 2025, Igor Pavlov published 7-Zip version 25.00 through the official 7-zip.org website and the project's GitHub repository. The release changelog documents several categories of changes spanning performance, capability, and security.

The headline feature removes the 64-thread ceiling that previously constrained compression operations on Windows. According to the changelog, 7-Zip for Windows can now use more than 64 CPU threads for compression to zip, 7z, and xz archives, as well as for the built-in benchmark utility. The limitation stemmed from Windows API constraints around processor groups, which the new version addresses.

Performance work targeted the bzip2 compression algorithm, achieving speed improvements between 15 and 40 percent. The deflate algorithm used in standard zip and gzip formats received smaller optimizations yielding 1 to 3 percent faster compression.

The security fixes address two distinct vulnerabilities. CVE-2025-53816 relates to incorrect behavior when processing certain malformed RAR archives. CVE-2025-53817 involves a crash condition when handling malformed COM archives. The changelog describes both as bugs that could cause 7-Zip to work incorrectly or crash, without indicating evidence of exploitation in the wild.

Figure 2: How the authentication bypass vulnerability works

The official changelog provides the primary technical documentation for version 25.00. The claims regarding thread support, performance improvements, and security fixes come directly from this source.

Thread Support: The changelog states that 7-Zip for Windows can now use more than 64 CPU threads for compression operations. The specific formats mentioned are zip, 7z, and xz archives. The benchmark utility also gains this capability.

Performance Improvements: Bzip2 compression speed increased by 15 to 40 percent according to the changelog. Deflate compression speed increased by 1 to 3 percent. No specific test methodology or hardware configurations are documented.

Security Fixes: Two CVE identifiers are referenced. CVE-2025-53816 addresses incorrect behavior with malformed RAR archives. CVE-2025-53817 addresses crash conditions with malformed COM archives. The changelog does not provide CVSS scores or detailed technical descriptions of the vulnerabilities.

The GitHub release mirrors the changelog information and provides source code access. The SourceForge project page hosts the binary distributions.

High-Core-Count Systems: Workstations and servers with more than 64 logical processors can now fully utilize their hardware during compression operations. Threadripper, EPYC, and Xeon systems with high core counts stand to benefit most significantly.

Faster Bzip2 Operations: The 15 to 40 percent speed improvement for bzip2 compression benefits workflows that rely on this algorithm. Bzip2 remains common in Linux distribution packages and certain backup systems.

Security Posture: Organizations can address two CVE-tracked vulnerabilities by updating to version 25.00. The fixes reduce risk when processing archives from untrusted sources.

Benchmark Improvements: The benchmark utility's expanded thread support allows more accurate performance testing on high-core-count systems.

Figure 3: Privilege escalation from user to SYSTEM level

Windows-Specific Thread Enhancement: The 64+ thread support specifically addresses Windows limitations. Linux and other platforms already handled high thread counts differently, so the benefit is platform-specific.

Unquantified Security Impact: The changelog does not provide severity ratings or detailed technical descriptions for the CVE-tracked vulnerabilities. Organizations cannot easily assess the urgency of updating based on the available information.

Limited Deflate Improvement: The 1 to 3 percent improvement for deflate compression represents a marginal gain. Workflows primarily using zip format may see minimal benefit from updating.

Testing Requirements: Organizations with automated archive processing pipelines should test the new version before deployment to ensure compatibility with existing workflows.

7-Zip implements multiple compression algorithms and archive formats through a modular architecture. The core compression engine handles the mathematical operations that reduce file sizes, while format handlers manage the specific container structures for different archive types.

Thread Scaling: Modern CPUs with many cores benefit from parallel compression when the workload can be divided. 7-Zip splits input data into blocks that can be compressed independently, then combines the results. The previous 64-thread limit on Windows related to how the operating system organizes processors into groups. Version 25.00 implements cross-group thread management to access all available processors.

Bzip2 Algorithm: Bzip2 uses the Burrows-Wheeler transform followed by move-to-front encoding and Huffman coding. The algorithm achieves high compression ratios but historically ran slower than alternatives like deflate. The performance improvements in version 25.00 likely involve optimized implementations of these transform stages.

Archive Format Handling: 7-Zip reads and writes numerous archive formats including its native 7z format, standard zip, tar, gzip, bzip2, xz, RAR (read-only), and others. Each format has specific parsing requirements, and malformed archives can trigger edge cases in the parsing code. The CVE fixes address such edge cases in RAR and COM archive handling.

Technical context (optional): The 64-thread limit on Windows stems from the processor group architecture introduced in Windows 7 for systems with more than 64 logical processors. Applications must explicitly opt into cross-group scheduling to access all processors. The 7-Zip update implements this capability for compression operations.

7-Zip occupies a foundational position in software development and system administration toolchains. The utility appears in build scripts, deployment pipelines, backup systems, and countless manual workflows. Changes to 7-Zip ripple through these dependent systems.

The removal of the 64-thread ceiling reflects broader hardware trends. Consumer and professional workstations increasingly ship with high core counts. AMD's Threadripper line offers up to 96 cores, while server processors from AMD and Intel exceed 100 cores. Software that cannot utilize this hardware leaves performance on the table.

The security fixes highlight ongoing challenges with archive format parsing. Archive formats evolved over decades with varying levels of specification rigor. Implementations must handle malformed inputs gracefully, and vulnerabilities in archive handling code have historically enabled attacks through malicious files. The CVE fixes in 7-Zip represent routine maintenance of this attack surface.

Open-source compression utilities compete with commercial alternatives and operating system built-in tools. 7-Zip's continued development maintains its position as a capable, free option for users and organizations.

Confirmed:

• Version 25.00 released on July 5, 2025
• Support for more than 64 CPU threads on Windows for zip, 7z, xz compression and benchmarks
• Bzip2 compression speed improved 15 to 40 percent
• Deflate compression speed improved 1 to 3 percent
• CVE-2025-53816 fixed (RAR archive handling)
• CVE-2025-53817 fixed (COM archive handling)

Unclear:

• Severity ratings for the CVE-tracked vulnerabilities
• Whether the vulnerabilities were discovered internally or reported externally
• Specific technical details of the vulnerability mechanisms
• Performance improvement methodology and test configurations
• Timeline for when the vulnerabilities were introduced

CVE Database Updates: The National Vulnerability Database and other CVE tracking systems will eventually publish detailed information about CVE-2025-53816 and CVE-2025-53817, including severity scores and affected version ranges.

Distribution Updates: Linux distributions and package managers that include 7-Zip or p7zip will need to incorporate the security fixes. The timeline for these updates varies by distribution.

Benchmark Comparisons: Independent testing of the performance claims will likely appear on technical forums and review sites. Comparisons on high-core-count systems will validate the thread scaling improvements.

Downstream Tool Updates: Software that bundles or depends on 7-Zip may release updates incorporating version 25.00. Build tools, installers, and backup utilities commonly include 7-Zip components.

1. 7-Zip Official History - https://www.7-zip.org/history.txt (July 5, 2025)
2. 7-Zip GitHub Release - https://github.com/ip7z/7zip/releases/tag/25.00 (July 5, 2025)
3. 7-Zip SourceForge Project - https://sourceforge.net/projects/sevenzip/ (Ongoing)