CVE-2022-39259

Name of the Vulnerable Software and Affected Versions jadx versions prior to 1.4.5

Description The issue concerns a Denial of Service that occurs when opening zip files containing HTML sequences. This can cause the interface to get stuck and throw exceptions. The problem arises when using jadx-gui to open a special zip file with an entry containing an HTML sequence, such as <html><frame>. This results in errors like java.lang.RuntimeException: Can't build aframeset, BranchElement(frameset) 1,3 :no ROWS or COLS defined. The issue is related to the interpretation of HTML in Swing components, which can be exploited if the text is from an untrusted source.

Recommendations For versions prior to 1.4.5, update to version 1.4.5 to resolve the issue. As a temporary workaround, consider disabling HTML display in Swing components by setting the html.disable client property to true for each component, for example, label.putClientProperty("html.disable", true);.