What is the CVSS score of CVE-2024-21633?

CVE-2024-21633 has a CVSS 3.1 base score of 7.8 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 80.5%.

Which versions of Apktool are affected by CVE-2024-21633?

Organizations using Apktool face notable risk from CVE-2024-21633, a path traversal vulnerability rated CVSS 7.8.. A patch is available.

Is there a public PoC exploit available for CVE-2024-21633?

Yes, a public proof-of-concept exploit is available for CVE-2024-21633. Prioritise patching immediately. EPSS: 80.5%.

How to fix or mitigate CVE-2024-21633?

Within 30 days: Identify all affected systems running versions 2.9.1 and and apply vendor patches as part of regular patch cycle. Review file handling controls and restrict upload directories.

Apktool CVE-2024-21633

HIGH

Path Traversal (CWE-22)

2024-01-03 security-advisories@github.com

Google Path Traversal Apktool Android

7.8

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.8 HIGH

AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:33 vuln.today

Patch released

Mar 28, 2026 - 19:33 nvd

Patch available

PoC Detected

Nov 21, 2024 - 08:54 vuln.today

Public exploit code

CVE Published

Jan 03, 2024 - 17:15 nvd

HIGH 7.8

DescriptionGitHub Advisory

Apktool is a tool for reverse engineering Android APK files. In versions 2.9.1 and prior, Apktool infers resource files' output path according to their resource names which can be manipulated by attacker to place files at desired location on the system Apktool runs on. Affected environments are those in which an attacker may write/overwrite any file that user has write access, and either user name is known or cwd is under user folder. Commit d348c43b24a9de350ff6e5bd610545a10c1fc712 contains a patch for this issue.

AnalysisAI

Apktool versions 2.9.1 and prior contain a path traversal vulnerability when processing Android APK files. Malicious APK resources with crafted filenames can write files to arbitrary locations on the system, enabling code execution on developer and CI/CD machines that analyze untrusted APKs.

Technical ContextAI

Apktool processes Android APK files by extracting and decompiling resources. Resource filenames from the APK's resource table are used to create output paths without proper sanitization. A malicious APK can include resources with path traversal sequences (e.g., ../../.bashrc) that write files outside the intended output directory when decompiled.

RemediationAI

Update to Apktool 2.9.2 or later. Run APK analysis in sandboxed environments (containers, VMs). Never decompile untrusted APKs on production machines. Review output directories after Apktool runs for files outside the expected project structure.

CVE-2024-21633 vulnerability details – vuln.today

Back

Apktool CVE-2024-21633

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code