VYPR
← All advisories
High severityNVD Advisory· Published Jun 13, 2023· Updated Jan 3, 2025

CVE-2023-33695

CVE-2023-33695

Description

Hutool v5.8.17 and below was discovered to contain an information disclosure vulnerability via the File.createTempFile() function at /core/io/FileUtil.java.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Hutool v5.8.17 and below has an information disclosure vulnerability in File.createTempFile() that exposes temporary files to other local users.

Description

CVE-2023-33695 is an information disclosure vulnerability in Hutool, a Java utility library, affecting version 5.8.17 and earlier. The flaw resides in the File.createTempFile() function within core/io/FileUtil.java. The root cause is an insecure usage pattern: the code creates a temporary file, then immediately deletes and re-creates it using File.createNewFile(), which can result in a race condition and predictable file names [1][2][4].

Exploitation

The attack surface is local; on Unix-like systems (excluding macOS and Windows), the system temporary directory is shared among all users. An attacker co-resident on the same machine can exploit the race condition to either read sensitive information from the temporary file (information disclosure) or hijack the temporary file creation process (temporary directory hijacking). The vulnerability does not require authentication; it leverages the default shared permissions of /tmp [4].

Impact

A successful exploit can lead to two outcomes: 1) Temporary directory information disclosure, allowing a malicious local user to view potentially sensitive files; 2) Temporary directory hijacking, where a local attacker can manipulate or add contents to the directory, potentially leading to local privilege escalation if code executes from that temporary location. This mirrors similar vulnerabilities found in other projects, such as CVE-2020-15250 (JUnit) and CVE-2021-21364 (Swagger) [4].

Mitigation

The vulnerability is patched in Hutool version 5.8.18. The fix replaces the insecure File.createTempFile() call with PathUtil.createTempFile(), which uses Files.createTempFile() from Java 7's NIO API. This secure method creates temporary files with random, non-conflicting names and restricts permissions to the current user only [3][4]. Users should upgrade to Hutool 5.8.18 or later to mitigate the risk.

References
  1. GitHub - chinabugotech/hutool: 🍬A set of tools that keep Java sweet.
  2. NVD - CVE-2023-33695
  3. 修复FileUtil.createTempFile可能导致的漏洞 · chinabugotech/hutool@c33550f
  4. Temporary File Information Disclosure Vulnerability

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
cn.hutool:hutool-coreMaven
< 5.8.195.8.19

Affected products

2

Patches

1
c33550f703f5

修复FileUtil.createTempFile可能导致的漏洞

https://github.com/dromara/hutoolLoolyMay 15, 2023via ghsa
commit
3 files changed · +32 1
  • CHANGELOG.md+1 0 modified
    @@ -22,6 +22,7 @@
 * 【http  】      修复HttpDownloader.downloadFile 方法缺少static问题(issue#I6Z8VU@Gitee)
 * 【core  】      修复NumberUtil mul 传入null的string入参报错问题(issue#I70JB3@Gitee)
 * 【core  】      修复ZipReader.get调用reset异常问题(issue#3099@Github)
+* 【core  】      修复FileUtil.createTempFile可能导致的漏洞(issue#3103@Github)
 
 -------------------------------------------------------------------------------------------------------------
 # 5.8.18 (2023-04-27)
  • hutool-core/src/main/java/cn/hutool/core/io/file/PathUtil.java+28 0 modified
    @@ -668,6 +668,34 @@ public static String getName(Path path) {
 		return path.getFileName().toString();
 	}
 
+	/**
+	 * 创建临时文件<br>
+	 * 创建后的文件名为 prefix[Random].suffix From com.jodd.io.FileUtil
+	 *
+	 * @param prefix    前缀,至少3个字符
+	 * @param suffix    后缀,如果null则使用默认.tmp
+	 * @param dir       临时文件创建的所在目录
+	 * @return 临时文件
+	 * @throws IORuntimeException IO异常
+	 * @since 6.0.0
+	 */
+	public static Path createTempFile(final String prefix, final String suffix, final Path dir) throws IORuntimeException {
+		int exceptionsCount = 0;
+		while (true) {
+			try {
+				if(null == dir){
+					return Files.createTempFile(prefix, suffix);
+				}else{
+					return Files.createTempFile(mkdir(dir), prefix, suffix);
+				}
+			} catch (final IOException ioex) { // fixes java.io.WinNTFileSystem.createFileExclusively access denied
+				if (++exceptionsCount >= 50) {
+					throw new IORuntimeException(ioex);
+				}
+			}
+		}
+	}
+
 	/**
 	 * 删除文件或空目录,不追踪软链
 	 *
  • hutool-core/src/main/java/cn/hutool/core/io/FileUtil.java+3 1 modified
    @@ -1004,7 +1004,9 @@ public static File createTempFile(String prefix, String suffix, File dir, boolea
 		int exceptionsCount = 0;
 		while (true) {
 			try {
-				File file = File.createTempFile(prefix, suffix, mkdir(dir)).getCanonicalFile();
+				// https://github.com/dromara/hutool/issues/3103
+				//File file = File.createTempFile(prefix, suffix, mkdir(dir)).getCanonicalFile();
+				final File file = PathUtil.createTempFile(prefix, suffix, null == dir ? null : dir.toPath()).toFile().getCanonicalFile();
 				if (isReCreat) {
 					//noinspection ResultOfMethodCallIgnored
 					file.delete();

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.