Xuwei-K

**Name of the Vulnerable Software and Affected Versions** sbt versions prior to 1.9.7 **Description** The issue allows writing of arbitrary files given a specially crafted zip or JAR file, utilizing `IO.unzip`. This could potentially overwrite `/root/.ssh/authorized keys`. Within sbt's main code, `IO.unzip` is used in the `pullRemoteCache` task and `Resolvers.remote`. Many projects also use `IO.unzip(...)` directly for custom tasks. **Recommendations** For versions prior to 1.9.7, update to version 1.9.7 to resolve the issue. As a temporary workaround, consider using an alternative library to unzip files until the update can be applied. Restrict access to the `IO.unzip` function to minimize the risk of exploitation. Avoid using `IO.unzip` directly in custom tasks until the issue is resolved.