During device acquisition, getPathToLocalCopy() constructs local filesystem paths for downloaded APKs using a filename component extracted by extractFileName(). The extraction splits on ==/ and takes the remainder without sanitization. If a compromised device returns a crafted APK path containing traversal sequences, filepath.Join resolves them, allowing the file to be written outside the intended apks/ directory.
Practical exploitability is limited because Android enforces strict package path formats under /data/app/ and does not allow apps to register paths containing traversal sequences. Rated Informational as a defense-in-depth concern.
An attacker with control of the connected device could potentially write files outside the expected output directory on the acquisition workstation, leading to arbitrary file overwrite with attacker-controlled content.
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 1.1 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-763j-3p5v-jfc6 ↗ |
| CWE id | Name |
|---|---|
| CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| go | github.com/mvt-project/androidqf | <= 1.8.2 | 1.8.3 | — |