CVE-2025-0851

CRITICAL LAB

Ai.djl API < 0.31.1 - Path Traversal

Title source: rule

Description

A path traversal issue in ZipUtils.unzip and TarUtils.untar in Deep Java Library (DJL) on all platforms allows a bad actor to write files to arbitrary locations.

Exploits (2)

nomisec WRITEUP 1 stars

by skrkcb2 · poc

https://github.com/skrkcb2/CVE-2025-0851

View Code ZIP pw:eip

github WORKING POC

by manus-use · postscriptpoc

https://github.com/manus-use/cve-pocs/tree/main/deep-java-library-CVE-2025-0851

View Code ZIP pw:eip

References (3)

[Various Sources] https://aws.amazon.com/security/security-bulletins/AWS-2025-003/

[Vendor Advisory] https://github.com/deepjavalibrary/djl/security/advisories/GHSA-jcrp-x7w3-ffmg

[Release Notes] https://github.com/deepjavalibrary/djl/releases/tag/v0.31.1

Scores

CVSS v3 9.8

EPSS 0.3068

EPSS Percentile 96.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY

Community Lab

docker pull eclipse-temurin:17-jdk

https://github.com/skrkcb2/CVE-2025-0851

https://github.com/manus-use/cve-pocs

View in Library

Details

CWE

CWE-36 CWE-73

Status published

Products (2)

ai.djl/api 0 - 0.31.1Maven

AWS/DeepJavaLibrary 0.1.0 - 0.31.1

Published Jan 29, 2025

Tracked Since Feb 18, 2026