Critical severity10.0NVD Advisory· Published Jun 17, 2024· Updated Apr 15, 2026
CVE-2024-37902
CVE-2024-37902
Description
DeepJavaLibrary(DJL) is an Engine-Agnostic Deep Learning Framework in Java. DJL versions 0.1.0 through 0.27.0 do not prevent absolute path archived artifacts from inserting archived files directly into the system, overwriting system files. This is fixed in DJL 0.28.0 and patched in DJL Large Model Inference containers version 0.27.0. Users are advised to upgrade.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ai.djl:apiMaven | >= 0.1.0, < 0.28.0 | 0.28.0 |
Patches
1b55df0aef543Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-w877-jfw7-46rjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-37902ghsaADVISORY
- github.com/aws/deep-learning-containers/releases/tag/v1.1-djl-0.27.0-inf-cpu-fullghsaWEB
- github.com/aws/deep-learning-containers/releases/tag/v1.3-djl-0.27.0-inf-neuronx-sdk2.18.1ghsaWEB
- github.com/aws/deep-learning-containers/releases/tag/v1.4-djl-0.27.0-inf-ds-0.12.6ghsaWEB
- github.com/aws/deep-learning-containers/releases/tag/v1.4-djl-0.27.0-inf-trt-0.8.0ghsaWEB
- github.com/deepjavalibrary/djl/releases/tag/v0.28.0nvdWEB
- github.com/deepjavalibrary/djl/security/advisories/GHSA-w877-jfw7-46rjnvdWEB
News mentions
0No linked articles in our index yet.