7-Zip

Description

In 1998 a Russian programmer named Igor Pavlov began work on a file archiver. The existing options — WinZip, WinRAR, PKZip — all cost money, and the ZIP format hadn’t changed fundamentally since Phil Katz published the specification a decade earlier. Pavlov wanted something free, open source and meaningfully better at shrinking files.

Development started in late 1998 and the first beta was released on January 2, 1999. The stable 2.00 release came next on July 18, 1999. Pavlov released the source to SourceForge in November 2000 under the GNU Lesser General Public License with no funding or corporate support. He wrote and maintained it single-handedly, and distributed it free of charge.

7-Zip added its own archive format 7z in 2001 with version 2.30 beta. That format carried a new compression algorithm Pavlov had developed called LZMA — the Lempel-Ziv-Markov chain algorithm. LZMA proved to be much more effective than the Deflate algorithm on which ZIP is based. 7z went on to become a standard in software distribution, game archives and backup workflows.

Between 2002 and 2024, 7-Zip received 428 million downloads on SourceForge alone, and more than 27 million via the Chocolatey package manager for Windows by 2025. Pavlov continues to develop and release it with no team, organization, or revenue stream.

THE 7Z FORMAT AND LZMA

The ZIP format, introduced in 1989, uses the Deflate algorithm, which looks for duplicate strings in data and replaces them with shorter references, and uses Huffman coding. It provides typical compression ratios of about 30 percent for mixed content.

LZMA has a different approach. Its sliding dictionary is as large as 3,840 MB — much larger than Deflate’s — and is supported by a range coder. That wider search window allows LZMA to look for patterns in much more of the input before compressing any given section. The result is compression ratios of about 55 percent for typical mixed content. For source code, text and other structured data, the difference is more pronounced. LZMA2, which was introduced as an improvement, adds multi-threaded compression support, while retaining the efficiency of the algorithm.

The 7z format also supports solid compression, in which multiple files feed into a single stream of data. When there are common patterns in similar files — documents with the same header repeating over and over, source files with the same function names — solid compression finds and removes redundancies across file boundaries rather than processing each file individually. LZMA2 and solid compression combined give 7z its edge over competing formats for large archives.

The format supports files up to 16 exabytes, filenames are stored as Unicode, and AES-256 encryption is used for password-protected archives. Unlike ZIP’s encryption, which encrypts the contents but not the filenames, 7z encryption can also encrypt filenames, meaning that an attacker cannot tell what an archive contains without the password. The 7z format spec is open and royalty-free under the LGPL.

LZMA SDK AND WIDER ADOPTION

Pavlov made the LZMA Software Development Kit available to the public domain in December 2008, which means that any developer can use the algorithm without restriction.

The Linux xz compression utility, which creates .xz and .tar.xz archives, uses LZMA2 as its core algorithm via liblzma, a library based on Pavlov’s SDK. Most Linux distributions come with xz tools installed by default, which means that LZMA compression is running on hundreds of millions of Linux systems without 7-Zip installed. Debian, Ubuntu, Fedora, etc. uses xz compression for software packages. The Arch Linux package manager used LZMA based compression for years before switching to Zstandard.

The XZ Utils supply chain attack of March 2024 — in which a malicious actor embedded backdoor code into versions 5.6.0 and 5.6.1 of the xz library via a multi-year social engineering campaign — underscored how widely LZMA has spread through open-source infrastructure. The attack did not target 7-Zip directly, but the same compression layer that Pavlov’s algorithm is based on. Affected xz versions were off distributions quickly before widespread exploitation.

WINDOWS Interface and Features

7-Zip’s Windows interface is based on a two-panel file manager in which the two panels display directory trees and file listings. Users drag or copy between panels to transfer files. The manager opens archives like they are folders — clicking into a .7z or .zip file displays its contents and allows individual items to be extracted without having to unpack everything.

Shell integration adds right-click context menu entries throughout Windows Explorer. Options include adding files to a new archive, compressing to the current folder, or extracting a selected archive. Users can also create self-extracting archives — executable files that unpack themselves without requiring 7-Zip on the target machine.

For full creation and extraction 7-Zip supports 7z, ZIP, GZIP, BZIP2, XZ, TAR and WIM. For extraction only it handles ARJ, CAB, CHM, CPIO, DEB, DMG, FAT, HFS, ISO, RAR, RAR5, RPM, VHD, XAR, etc. Opening disk images such as ISO, DMG and VHD allows the user to browse the contents without mounting the file. For ZIP and GZIP, 7-Zip has compression ratios 2 to 10 percent better than WinZip and PKZip on the same files.

A command line interface is shipped in the form of 7z.exe together with the graphical client. Scripts and automated processes use it to create and extract archives without the GUI. Switches are available for compression level, format, encryption, multi-volume splitting, and subdirectory handling.

LINUX AND MACOS

For the first two decades or so of its existence, 7-Zip only ran on Windows. Linux and macOS users were using p7zip, a community port that lagged behind the main project, last updated in 2016.

Starting with version 21.01 alpha in 2021, Pavlov added official Linux and macOS support directly to the 7-Zip project. The command on those systems is 7zz instead of 7z to avoid conflicts with p7zip. Official builds include x86-64 and ARM64. The Linux and macOS versions have no graphical interface, but support all the formats and options that are available on Windows.

SECURITY

Because 7-Zip processes file content from untrusted sources, security flaws in the parsing code pose actual risk.

In September 2024, Trend Micro’s Zero Day Initiative team discovered an active zero-day exploit. A bug in the way 7-Zip propagated Windows Mark-of-the-Web flags meant that attackers could bypass Windows SmartScreen warnings. Files extracted from a double-nested archive lost their “downloaded from the internet” marker, so Windows considered them to be locally trusted and ran them without security prompts. Russian cybercrime groups used this against Ukrainian government and non-government organizations in SmokeLoader malware attacks, using homoglyph attacks — using visually similar Cyrillic characters in place of Latin letters in filenames — to disguise malicious executables as documents. Trend Micro informed Pavlov about the flaw and he fixed it in version 24.09 on November 30, 2024 (CVE-2025-0411).

Two other vulnerabilities disclosed in late 2025, CVE-2025-11001 and CVE-2025-11002, concerned the way 7-Zip handled symbolic links in ZIP files on Windows. Crafted archives could write files outside of the intended extraction folder, allowing code to be executed. Both had a CVSS score of 7.0 and were fixed in version 25.00.

Because 7-Zip doesn’t have any automatic update mechanism, users who don’t manually install new versions are stuck on old versions indefinitely – something security advisories constantly call a risk.