CVE-2018-17297

Vulnerability

The unzip function in ZipUtil.java of Hutool (versions prior to 4.1.12) does not validate or sanitize file names extracted from a ZIP archive. Specifically, the method zipEntry.getName() is used directly without checking for directory traversal sequences such as ../ or ..\\. This allows an archive containing entries with crafted paths to write files outside the intended extraction directory. The affected packages include cn.hutool:hutool-all, cn.hutool:hutool-core, and cn.hutool:hutool-parent [1][3].

Exploitation

An attacker needs to supply a malicious ZIP archive containing files with path names that include directory traversal sequences (e.g., ../../evil.txt). If a user or system using a vulnerable version of Hutool extracts this archive via the unzip method, the library will write the entry’s content to the resolved path on the filesystem. No authentication or special privileges are required beyond the ability to deliver the ZIP file to the extraction process [2][4].

Impact

Successful exploitation allows an attacker to overwrite arbitrary files on the target system with the content of the malicious ZIP entry. This can lead to overwriting sensitive configuration files, application binaries, or deployed web shells. The impact depends on the writable paths accessible to the process performing the extraction; in the worst case, this can lead to remote code execution if critical executable or script files are replaced [4].

Mitigation

The vulnerability is fixed in Hutool version 4.1.12 and later. Users should upgrade to at least this version. There is no known workaround for older versions other than avoiding the use of the unzip function with untrusted ZIP archives or applying external input validation. The fix was released on October 17, 2018 [3].