Publication Date: 2025/01/29 1:30 PM PST
AWS identified CVE-2025-0851, a path traversal issue in ZipUtils.unzip and TarUtils.untar in Deep Java Library (DJL) on all platforms that allows a bad actor to write files to arbitrary locations. If leveraged, an actor could gain SSH access by injecting an SSH key into the authorized_keys file, or upload HTML files to leverage cross-site scripting issues. We can confirm that this issue has not been leveraged. A fix for this issue has been released and we recommend the users of DJL upgrade to version 0.31.1 or later.
Affected versions: 0.1.0 - 0.31.0
Resolution
The patches are included in DJL 0.31.1.
Reference
Please email aws-security@amazon.com with any security questions or concerns.