CVE-2025-0851

Name of the Vulnerable Software and Affected Versions Deep Java Library (DJL) versions 0.1.0 through 0.31.0

Description A path traversal issue in ZipUtils.unzip and TarUtils.untar in Deep Java Library (DJL) on all platforms allows a bad actor to write files to arbitrary locations. This issue exists due to the lack of protection against absolute path traversal during the extraction process of tar and zip model archives. The issue can be exploited when extracting archives created on different operating systems, allowing an attacker to write artifacts outside the intended destination.

Recommendations For versions 0.1.0 through 0.31.0, update to version 0.31.1 or later to resolve the issue. As a temporary workaround, do not use model archive files from sources you do not trust, and only use model archives from official sources like the DJL Model Zoo, or models that you have created and packaged yourself.