Cyber Resilience

CVE-2024-37902

Critical

Published: 17 June 2024

Published
17 June 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0029 52.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-37902 is a critical-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Host Software Binary (T1554); ranked in the top 47.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Deep Learning Frameworks; in the Supply Chain and Deployment risk domain; MITRE ATLAS techniques in scope: AI Supply Chain Compromise (AML.T0010), External Harms (AML.T0048).

EU & UK References

Vulnerability details

DeepJavaLibrary(DJL) is an Engine-Agnostic Deep Learning Framework in Java. DJL versions 0.1.0 through 0.27.0 do not prevent absolute path archived artifacts from inserting archived files directly into the system, overwriting system files. This is fixed in DJL 0.28.0 and patched…

more

in DJL Large Model Inference containers version 0.27.0. Users are advised to upgrade.

CWE(s)

AI Security AnalysisAI

AI Category
Deep Learning Frameworks
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
DeepJavaLibrary (DJL) is explicitly described as an 'Engine-Agnostic Deep Learning Framework in Java,' matching the Deep Learning Frameworks category. The vulnerability involves improper handling of absolute path archived artifacts, allowing file overwrites, which is a zip-slip-like issue in model/artifact loading.

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1554 Compromise Host Software Binary Persistence
Adversaries may modify host software binaries to establish persistent access to systems.
T1685 Disable or Modify Tools Defense Impairment
Adversaries may disable, degrade, or tamper with security tools or applications (e.
T1543 Create or Modify System Process Persistence
Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The vulnerability enables arbitrary overwriting of system files via absolute path traversal in archived artifacts processed by DJL, facilitating compromise of host software binaries (T1554), disabling or modifying security tools (T1562.001), creation or modification of system processes/services (T1543), and exploitation for privilege escalation (T1068).

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0010: AI Supply Chain CompromiseAML.T0048: External Harms

Affected Assets

Java. DJL
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References