High severity8.8NVD Advisory· Published Mar 19, 2024· Updated Apr 15, 2026

CVE-2024-24042

Description

Directory Traversal vulnerability in Devan-Kerman ARRP v.0.8.1 and before allows a remote attacker to execute arbitrary code via the dumpDirect in RuntimeResourcePackImpl component.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
net.devtech:arrpMaven	< 0.8.2	0.8.2

Patches

7ea80db462c8

https://github.com/ueaj-kerman/arrpvia osv

7ea80db462c8

oops v0.8.2

https://github.com/Devan-Kerman/ARRPueajJan 9, 2024via ghsa

commit

3 files changed · +11 −3

gradle.properties+1 −1 modified

@@ -8,7 +8,7 @@ loader_version=0.14.21
 fabric_version=0.84.0+1.20.1
 
 # Mod Properties
-mod_version=0.8.0
+mod_version=0.8.1
 maven_group=net.devtech
 archives_base_name=arrp
 # Dependencies

src/main/java/net/devtech/arrp/impl/RuntimeResourcePackImpl.java+2 −2 modified

@@ -303,7 +303,7 @@ public void dumpDirect(Path output) {
 			for(Map.Entry<List<String>, Supplier<byte[]>> e : this.root.entrySet()) {
 				String pathStr = String.join("/", e.getKey());
 				Path path = output.resolve(pathStr);
-				if(path.startsWith(output)) {
+				if(path.toAbsolutePath().startsWith(output.toAbsolutePath())) {
 					Files.createDirectories(path.getParent());
 					Files.write(path, e.getValue().get());
 				} else {
@@ -554,7 +554,7 @@ private void write(Path dir, Identifier identifier, byte[] data) {
 			String namespace = identifier.getNamespace();
 			String path = identifier.getPath();
 			Path file = dir.resolve(namespace).resolve(path);
-			if(file.startsWith(dir)) {
+			if(file.toAbsolutePath().startsWith(dir.toAbsolutePath())) {
 				Files.createDirectories(file.getParent());
 				try(OutputStream output = Files.newOutputStream(file)) {
 					output.write(data);

src/test/java/test/RRPPreTest.java+8 −0 modified

@@ -16,6 +16,7 @@
 
 import com.google.gson.Gson;
 import com.google.gson.GsonBuilder;
+import net.devtech.arrp.api.RuntimeResourcePack;
 import net.devtech.arrp.impl.RuntimeResourcePackImpl;
 import net.devtech.arrp.json.blockstate.JMultipart;
 import net.devtech.arrp.json.blockstate.JState;
@@ -27,9 +28,14 @@
 
 import net.minecraft.util.Identifier;
 import net.minecraft.util.math.Direction;
+import java.nio.file.Path;
 
 public class RRPPreTest {
 	public static void main(String[] args) {
+		RuntimeResourcePack pack = RuntimeResourcePack.create("test:test");
+		pack.addLang(new Identifier("aaaa:aaaa"), new JLang().entry("aaaa", "bbbbb"));
+		pack.dumpDirect(Path.of("aaaa"));
+
 		JState iron_block = state(variant(JState.model("block/iron_block")));
 		JState oak_fence = state(multipart(JState.model("block/oak_fence_post")),
 				multipart(JState.model("block/oak_fence_side").uvlock()).when(when().add("north", "true")),
@@ -47,6 +53,8 @@ public static void main(String[] args) {
 		                                                      .west(face("all").uv(9, 0, 11, 16))
 		                                                      .east(face("all").uv(9, 0, 11, 16))));
 
+
+
 		Gson gson = new GsonBuilder().registerTypeAdapter(JMultipart.class, new JMultipart.Serializer())
 		                             .registerTypeAdapter(JWhen.class, new JWhen.Serializer())
 		                             .registerTypeAdapter(JState.class, new JState.Serializer())

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-cg24-jjr5-rxmfghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-24042ghsaADVISORY
gist.github.com/apple502j/193358682885fe1a6708309ce934e4ednvdWEB
github.com/Devan-Kerman/ARRP/commit/7ea80db462c8bf66a0565e84fa49c1f2ecb9287bnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.002
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000