CVE-2024-37902
📋 TL;DR
This vulnerability in DeepJavaLibrary (DJL) allows attackers to overwrite system files by exploiting improper path validation when extracting archived artifacts. Attackers can insert malicious files with absolute paths that overwrite critical system files. All users running DJL versions 0.1.0 through 0.27.0 are affected.
💻 Affected Systems
- DeepJavaLibrary (DJL)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through arbitrary file overwrite, potentially leading to remote code execution, data destruction, or persistent backdoor installation.
Likely Case
Local file overwrite leading to privilege escalation, service disruption, or data corruption.
If Mitigated
Limited impact if proper file permissions and sandboxing prevent writing to critical system locations.
🎯 Exploit Status
Exploitation requires the ability to provide a malicious archive file to the vulnerable DJL application.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.28.0
Vendor Advisory: https://github.com/deepjavalibrary/djl/security/advisories/GHSA-w877-jfw7-46rj
Restart Required: Yes
Instructions:
1. Update DJL to version 0.28.0 or later. 2. For DJL Large Model Inference containers, update to version 0.27.0 or later. 3. Restart all applications using DJL.
🔧 Temporary Workarounds
Restrict archive sources
allOnly allow archive extraction from trusted, validated sources
Run with limited permissions
allRun DJL applications with minimal file system write permissions
🧯 If You Can't Patch
- Implement strict input validation for archive files before processing
- Run DJL in a container or sandbox with restricted file system access
🔍 How to Verify
Check if Vulnerable:
Check DJL version in your application dependencies or build configurationCheck Version:
Check your build.gradle, pom.xml, or dependency manifest for DJL versionVerify Fix Applied:
Confirm DJL version is 0.28.0 or later, or for containers, version 0.27.0 or later📡 Detection & Monitoring
Log Indicators:
- Unexpected file write operations to system directories
- Archive extraction errors or warnings
Network Indicators:
- Downloads of archive files from untrusted sources to DJL applications
SIEM Query:
File creation events in system directories from DJL processes