Cyber Resilience

CVE-2025-0851

Critical

Published: 29 January 2025

Published
29 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.4369 97.6th percentile
Risk Priority 45 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0851 is a critical-severity Absolute Path Traversal (CWE-36) vulnerability in Amazon (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Ingress Tool Transfer (T1105); ranked in the top 2.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A path traversal vulnerability tracked as CVE-2025-0851 affects ZipUtils.unzip and TarUtils.untar within the Deep Java Library (DJL) on all platforms. The flaw, assigned CWE-36 and CWE-73, permits an attacker to supply crafted archive files that cause writes to arbitrary filesystem locations outside the intended extraction directory.

An unauthenticated remote attacker can exploit the issue over the network by supplying a malicious ZIP or TAR archive to any DJL-based application that invokes the affected utility methods. Successful exploitation yields high impact on confidentiality, integrity, and availability through arbitrary file writes that may overwrite configuration, binaries, or other sensitive resources.

The referenced AWS security bulletin AWS-2025-003, DJL release v0.31.1, and GitHub Security Advisory GHSA-jcrp-x7w3-ffmg describe the issue and indicate that the flaw is resolved in DJL version 0.31.1. The EPSS score remains flat at 0.4369 with no material increase after disclosure.

EU & UK References

Vulnerability details

A path traversal issue in ZipUtils.unzip and TarUtils.untar in Deep Java Library (DJL) on all platforms allows a bad actor to write files to arbitrary locations.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Arbitrary file write via malicious archive directly enables ingress of attacker-controlled files (T1105); remote unauthenticated exploitation of a library in an application maps to public-facing app exploitation (T1190).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-34522Shared CWE-73
CVE-2026-25628Shared CWE-73
CVE-2025-57790Shared CWE-36
CVE-2026-40370Shared CWE-73
CVE-2025-10134Shared CWE-73
CVE-2025-65115Shared CWE-73
CVE-2025-55746Shared CWE-73
CVE-2025-65473Shared CWE-73
CVE-2026-35465Shared CWE-36, CWE-73
CVE-2026-0846Shared CWE-36

Affected Assets

Amazon
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the path traversal vulnerability by requiring timely patching of DJL to version v0.31.1 as specified in the security advisory.

prevent

Enforces validation of file paths in ZIP and TAR archives processed by DJL's extraction utilities to block traversal to arbitrary filesystem locations.

prevent

Imposes restrictions on the structure and content of inputs to archive extraction functions, preventing path traversal sequences like '../' from being processed.

References