CVE-2026-39973— Apktool: Path Traversal to Arbitrary File Write

Apktool: Path Traversal to Arbitrary File Write

Apktool is a tool for reverse engineering Android APK files. In versions 3.0.0 and 3.0.1, a path traversal vulnerability in `brut/androlib/res/decoder/ResFileDecoder.java` allows a maliciously crafted APK to write arbitrary files to the filesystem during standard decoding (`apktool d`). This is a security regression introduced in commit e10a045 (PR #4041, December 12, 2025), which removed the `BrutIO.sanitizePath()` call that previously prevented path traversal in resource file output paths. An attacker can embed `../` sequences in the `resources.arsc` Type String Pool to escape the output directory and write files to arbitrary locations, including `~/.ssh/config`, `~/.bashrc`, or Windows Startup folders, escalating to RCE. The fix in version 3.0.2 re-introduces `BrutIO.sanitizePath()` in `ResFileDecoder.java` before file write operations.

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

对路径名的限制不恰当(路径遍历)

Apktool 路径遍历漏洞

Apktool是Connor Tumbleson个人开发者的一款对Android APK文件进行逆向工程的工具。 Apktool 3.0.0版本和3.0.1版本存在路径遍历漏洞，该漏洞源于brut/androlib/res/decoder/ResFileDecoder.java文件存在路径遍历问题，可能导致恶意APK在标准解码过程中向文件系统写入任意文件，从而提升至远程代码执行。

N/A

N/A