CVE-2018-17297

HIGH

Hutool < 4.1.12 - Path Traversal and Arbitrary File Write via ZipUtil Unzip Function

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-17297. PoCs published by shoucheng3.

AI-analyzed exploit summary This repository appears to be a legitimate writeup or documentation for the Hutool library, specifically referencing CVE-2018-17297. It includes standard project files, documentation, and build scripts but lacks actual exploit code or offensive techniques.

Description

The unzip function in ZipUtil.java in Hutool before 4.1.12 allows remote attackers to overwrite arbitrary files via directory traversal sequences in a filename within a ZIP archive.

Exploits (1)

nomisec WRITEUP

by shoucheng3 · poc

https://github.com/shoucheng3/dromara__hutool_CVE-2018-17297_4-1-1111

View Code ZIP pw:eip

This repository appears to be a legitimate writeup or documentation for the Hutool library, specifically referencing CVE-2018-17297. It includes standard project files, documentation, and build scripts but lacks actual exploit code or offensive techniques.

Classification

Writeup 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: Hutool library version 4.1.11

No auth needed

Prerequisites: None identified

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Third Party Advisory x_refsource_misc

https://github.com/looly/hutool/issues/162

Scores

CVSS v3 7.5

EPSS 0.0043

EPSS Percentile 62.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-22

Status published

Products (4)

cn.hutool/hutool-all 0 - 4.1.12Maven

cn.hutool/hutool-core 0 - 4.1.12Maven

cn.hutool/hutool-parent 0 - 4.1.12Maven

hutool/hutool < 4.1.12

Published Sep 21, 2018

Tracked Since Feb 18, 2026