Security · 3h ago
Researcher reproduces patched Android APK path traversal bug
A developer reproduced CVE-2026-39973, a path traversal vulnerability in apktool, by crafting a malicious resources.arsc file. The bug allowed arbitrary file writes outside the output directory in version 3.0.1. The fix in the current HEAD build successfully blocked the attack, demonstrating the importance of verifying security patches.
Meridian48 take
The story underscores that advisory fixes are not proof — developers should independently verify patches, especially for tools that process untrusted input.
Read the full reporting
The Advisory Said It Was Fixed. I Didn't Believe It Until I Broke It Myself. →
DEV Community
apktoolpath-traversal