generateZipPath() constructs zip entry names for collected APKs using device controlled content from extractFileName(). Since extractFileName() does not reject traversal sequences, the resulting zip entry name can contain ../. AndroidQF itself does not extract the zip it creates, but any forensic tool that extracts the acquisition bundle without zip-slip protection could write files to attacker chosen paths.
A compromised device could inject path traversal sequences into the acquisition bundle's zip entry names. When a forensic analyst or forensic tooling extracts the bundle without entry name validation, files could be written outside the intended extraction directory.
This issue was identified during a security assessment conducted by 0xche.
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 1.1 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-jf2q-463c-6f52 ↗ |
| CWE id | Name |
|---|---|
| CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| go | github.com/mvt-project/androidqf | <= 1.8.2 | 1.8.3 | — |