GHSA-hvp5-5x4f-33fq: JADX file override vulnerability

April 22, 2024

when jadx parses a resource file, there is an escape problem with the style file, which can overwrite other files in the directory when saving the decompile result.

Although I don’t think this vulnerability realizes path traversal in the true sense of the word , I reported it anyway

References

github.com/advisories/GHSA-hvp5-5x4f-33fq
github.com/skylot/jadx
github.com/skylot/jadx/commit/d86449a8ea26381d0ce6fafaed7deb7542dfd70b
github.com/skylot/jadx/security/advisories/GHSA-hvp5-5x4f-33fq

Detect and mitigate GHSA-hvp5-5x4f-33fq with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →