CVE-2024-32653

Name of the Vulnerable Software and Affected Versions jadx versions prior to 1.5.0

Description The issue concerns a Dex to Java decompiler where the package name is not filtered before concatenation, allowing an attacker to inject arbitrary code into the package name. This can be exploited to execute commands with shell privileges.

Recommendations For versions prior to 1.5.0, update to version 1.5.0 to resolve the issue. As a temporary workaround, consider filtering package names manually before concatenation to minimize the risk of exploitation.