GHSA-jf2q-463c-6f52: androidqf: Zip entry Name Injection in APK bundle (Zip Slip for zip consumers)

May 21, 2026

generateZipPath() constructs zip entry names for collected APKs using device controlled content from extractFileName(). Since extractFileName() does not reject traversal sequences, the resulting zip entry name can contain ../. AndroidQF itself does not extract the zip it creates, but any forensic tool that extracts the acquisition bundle without zip-slip protection could write files to attacker chosen paths.

References

github.com/advisories/GHSA-jf2q-463c-6f52
github.com/mvt-project/androidqf/releases/tag/v1.8.3
github.com/mvt-project/androidqf/security/advisories/GHSA-jf2q-463c-6f52

Code Behaviors & Features

Detect and mitigate GHSA-jf2q-463c-6f52 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →