CVE-2025-0851 Overview
A path traversal vulnerability exists in the ZipUtils.unzip and TarUtils.untar functions within Deep Java Library (DJL) affecting all platforms. This security flaw allows an attacker to write files to arbitrary locations on the file system by crafting malicious archive files containing specially crafted path sequences. When a vulnerable application processes such archives, the extraction routines fail to properly sanitize file paths, enabling directory escape and arbitrary file write operations.
Critical Impact
This path traversal vulnerability enables attackers to write malicious files to any location accessible by the application, potentially leading to remote code execution, system compromise, or data destruction across all platforms running affected DJL versions.
Affected Products
- Deep Java Library (DJL) versions prior to v0.31.1
- Applications using ZipUtils.unzip functionality
- Applications using TarUtils.untar functionality
Discovery Timeline
- 2025-01-29 - CVE CVE-2025-0851 published to NVD
- 2025-10-14 - Last updated in NVD database
Technical Details for CVE-2025-0851
Vulnerability Analysis
This vulnerability is classified under CWE-36 (Absolute Path Traversal), a weakness where software uses external input to construct a pathname that should be within a restricted directory, but fails to properly neutralize absolute path sequences that could resolve to a location outside of that directory.
The Deep Java Library provides utility classes for handling compressed archives in Java applications, commonly used in machine learning and AI workloads. The vulnerable functions ZipUtils.unzip and TarUtils.untar do not adequately validate or sanitize the file paths contained within archive entries before extracting them. An attacker can craft a malicious ZIP or TAR archive containing entries with path traversal sequences (such as ../ or absolute paths) that escape the intended extraction directory.
When the archive is processed by a vulnerable DJL application, the malicious entries are written to arbitrary locations on the filesystem with the permissions of the running application. This is particularly dangerous in server-side applications, CI/CD pipelines, or machine learning training environments where DJL might process untrusted model archives or datasets.
Root Cause
The root cause of this vulnerability lies in insufficient input validation within the archive extraction functions. The ZipUtils.unzip and TarUtils.untar methods fail to canonicalize and validate destination paths before writing extracted files. Specifically, the code does not verify that the resolved output path remains within the intended extraction directory, allowing entries with malicious path components to escape the destination folder and write to arbitrary filesystem locations.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Crafting a malicious ZIP or TAR archive containing entries with path traversal sequences (e.g., ../../etc/cron.d/malicious)
- Delivering the malicious archive to a target application that uses DJL's archive extraction utilities
- When the application extracts the archive, files are written to attacker-controlled paths outside the intended directory
The vulnerability is particularly concerning in scenarios where applications automatically download and extract model archives, datasets, or other resources from potentially untrusted sources. Machine learning pipelines that fetch pre-trained models or training data are prime targets for this attack.
Detection Methods for CVE-2025-0851
Indicators of Compromise
- Unexpected files appearing in system directories (e.g., /etc, /usr/local/bin, Windows system folders)
- Application logs showing extraction operations with unusual file paths containing ../ sequences
- Newly created or modified files outside of expected application directories following archive extraction operations
- Suspicious cron jobs, startup scripts, or configuration files appearing after DJL-based applications process archives
Detection Strategies
- Monitor file system write operations for paths containing directory traversal sequences during archive extraction
- Implement application-level logging to capture all file paths extracted by DJL utilities
- Deploy file integrity monitoring (FIM) on critical system directories to detect unauthorized writes
- Review application dependencies for DJL versions prior to v0.31.1
Monitoring Recommendations
- Enable comprehensive audit logging for file creation and modification events on systems running DJL applications
- Configure SIEM rules to alert on file operations with path traversal patterns in application contexts
- Monitor for unusual child processes spawned by Java applications that could indicate successful code execution post-exploitation
- Establish baselines for DJL application file operations and alert on deviations
How to Mitigate CVE-2025-0851
Immediate Actions Required
- Upgrade Deep Java Library to version v0.31.1 or later immediately
- Audit all applications using DJL to identify instances of ZipUtils.unzip or TarUtils.untar usage
- Review recent archive extraction operations for potential exploitation attempts
- Validate the integrity of systems that have processed untrusted archives using vulnerable DJL versions
Patch Information
AWS has released a security bulletin addressing this vulnerability. The fix is available in DJL version v0.31.1. Organizations should update their DJL dependencies to this version or later. Additional details are available in the GitHub Security Advisory GHSA-jcrp-x7w3-ffmg and the AWS Security Bulletin AWS-2025-003.
Workarounds
- If immediate patching is not possible, implement input validation to reject archives from untrusted sources
- Deploy application-level controls to restrict archive extraction to designated sandbox directories
- Use containerization or sandboxing to limit the filesystem impact of potential exploitation
- Implement runtime application self-protection (RASP) to detect and block path traversal attempts during archive extraction
# Update DJL dependency in Maven pom.xml
# Change version to 0.31.1 or later
# <dependency>
# <groupId>ai.djl</groupId>
# <artifactId>api</artifactId>
# <version>0.31.1</version>
# </dependency>
# Verify current DJL version in your project
mvn dependency:tree | grep -i djl
# Update dependencies
mvn versions:use-latest-releases -Dincludes=ai.djl:*
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
