Description
Apktool is a tool for reverse engineering Android APK files. In versions 3.0.0 and 3.0.1, a path traversal vulnerability in `brut/androlib/res/decoder/ResFileDecoder.java` allows a maliciously crafted APK to write arbitrary files to the filesystem during standard decoding (`apktool d`). This is a security regression introduced in commit e10a045 (PR #4041, December 12, 2025), which removed the `BrutIO.sanitizePath()` call that previously prevented path traversal in resource file output paths. An attacker can embed `../` sequences in the `resources.arsc` Type String Pool to escape the output directory and write files to arbitrary locations, including `~/.ssh/config`, `~/.bashrc`, or Windows Startup folders, escalating to RCE. The fix in version 3.0.2 re-introduces `BrutIO.sanitizePath()` in `ResFileDecoder.java` before file write operations.
Published: 2026-04-21
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via Arbitrary File Write
Action: Immediate Patch
AI Analysis

Impact

A path traversal flaw in Apktool versions 3.0.0 and 3.0.1 allows a maliciously crafted APK to write files outside the intended output directory. By inserting "../" sequences into the resource file, the decoder can overwrite arbitrary files such as ~/.ssh/config, ~/.bashrc, or Windows startup programs, potentially leading to remote code execution. The vulnerability is a classic filesystem traversal error (CWE-22).

Affected Systems

The vulnerability affects the Apktool project by iBotPeaches. The affected releases are 3.0.0 and 3.0.1. The advisory indicates that version 3.0.2 addresses the issue by restoring path sanitization before file writes.

Risk and Exploitability

The CVSS score of 7.1 denotes significant risk. No EPSS data is available, and the flaw is not listed in the CISA KEV catalog, indicating no known active exploitation at this time. Exploitation requires the attacker to supply a malicious APK and execute apktool's decode command locally; therefore the threat is primarily local or within an environment where influenced users run apktool. The flaw could be mitigated by applying the patch or abstracting the decoding process so that untrusted files are never processed.

Generated by OpenCVE AI on April 21, 2026 at 15:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apktool to version 3.0.2 or later, which restores proper path sanitization.
  • If unable to upgrade immediately, never run apktool with APK files from untrusted sources; isolate the process in a sandbox with limited file system access.
  • Configure the system to disable write permissions for critical directories such as ~/.ssh, ~/.bashrc, or Windows startup folders, or monitor file creation events to detect anomalous writes.

Generated by OpenCVE AI on April 21, 2026 at 15:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 21 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
Description Apktool is a tool for reverse engineering Android APK files. In versions 3.0.0 and 3.0.1, a path traversal vulnerability in `brut/androlib/res/decoder/ResFileDecoder.java` allows a maliciously crafted APK to write arbitrary files to the filesystem during standard decoding (`apktool d`). This is a security regression introduced in commit e10a045 (PR #4041, December 12, 2025), which removed the `BrutIO.sanitizePath()` call that previously prevented path traversal in resource file output paths. An attacker can embed `../` sequences in the `resources.arsc` Type String Pool to escape the output directory and write files to arbitrary locations, including `~/.ssh/config`, `~/.bashrc`, or Windows Startup folders, escalating to RCE. The fix in version 3.0.2 re-introduces `BrutIO.sanitizePath()` in `ResFileDecoder.java` before file write operations.
Title Apktool: Path Traversal to Arbitrary File Write
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T13:33:14.677Z

Reserved: 2026-04-08T00:01:47.627Z

Link: CVE-2026-39973

cve-icon Vulnrichment

Updated: 2026-04-21T13:33:08.739Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-21T02:16:07.903

Modified: 2026-04-21T16:20:24.180

Link: CVE-2026-39973

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T15:37:55Z

Weaknesses