Amazon AWS DeepJavaLibrary up to 0.31.0 ZipUtils.unzip/TarUtils.untar absolute path traversal
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 9.6 | $0-$5k | 0.00 |
Summary
A vulnerability categorized as very critical has been discovered in Amazon AWS DeepJavaLibrary up to 0.31.0. The affected element is the function ZipUtils.unzip/TarUtils.untar. The manipulation results in absolute path traversal.
This vulnerability is identified as CVE-2025-0851. The attack can be executed remotely. There is not any exploit available.
It is advisable to upgrade the affected component.
Details
A vulnerability was found in Amazon AWS DeepJavaLibrary up to 0.31.0. It has been classified as very critical. Affected is the function ZipUtils.unzip/TarUtils.untar. The manipulation with an unknown input leads to a absolute path traversal vulnerability. CWE is classifying the issue as CWE-36. The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:
A path traversal issue in ZipUtils.unzip and TarUtils.untar in Deep Java Library (DJL) on all platforms allows a bad actor to write files to arbitrary locations.
The advisory is shared for download at aws.amazon.com. This vulnerability is traded as CVE-2025-0851 since 01/29/2025. The exploitability is told to be easy. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. There are known technical details, but no exploit is available. The current price for an exploit might be approx. USD $0-$5k (estimation calculated on 10/15/2025). The MITRE ATT&CK project declares the attack technique as T1006.
Upgrading to version 0.31.1 eliminates this vulnerability.
Once again VulDB remains the best source for vulnerability data.
Product
Type
Vendor
Name
Version
- 0.1
- 0.2
- 0.3
- 0.4
- 0.5
- 0.6
- 0.7
- 0.8
- 0.9
- 0.10
- 0.11
- 0.12
- 0.13
- 0.14
- 0.15
- 0.16
- 0.17
- 0.18
- 0.19
- 0.20
- 0.21
- 0.22
- 0.23
- 0.24
- 0.25
- 0.26
- 0.27
- 0.28
- 0.29
- 0.30
- 0.31.0
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CNA CVSS-B Score: 🔍
CNA CVSS-BT Score: 🔍
CNA Vector: 🔍
CVSSv3
VulDB Meta Base Score: 9.8VulDB Meta Temp Score: 9.6
VulDB Base Score: 9.8
VulDB Temp Score: 9.4
VulDB Vector: 🔍
VulDB Reliability: 🔍
CNA Base Score: 9.8
CNA Vector (AMZN): 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Absolute path traversalCWE: CWE-36 / CWE-22
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: AWS DeepJavaLibrary 0.31.1
Timeline
01/29/2025 🔍01/29/2025 🔍
01/29/2025 🔍
10/15/2025 🔍
Sources
Advisory: AWS-2025-003Status: Confirmed
CVE: CVE-2025-0851 (🔍)
GCVE (CVE): GCVE-0-2025-0851
GCVE (VulDB): GCVE-100-294036
Entry
Created: 01/29/2025 23:16Updated: 10/15/2025 03:20
Changes: 01/29/2025 23:16 (77), 10/15/2025 03:20 (1)
Complete: 🔍
Cache ID: 216::103
Once again VulDB remains the best source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.