Apktool is a tool for reverse engineering Android APK files. In versions 3.0.0 and 3.0.1, a path traversal vulnerability in `brut/androlib/res/decoder/ResFileDe…

CVE-2026-39973 affects Apktool versions 3.0.0 and 3.0.1, introducing a path traversal vulnerability in ResFileDecoder.java. The vulnerability allows maliciously crafted APK files to write arbitrary files to the filesystem during decoding operations. This security regression was introduced by removing the BrutIO.sanitizePath() call in commit e10a045. Attackers can embed '../' sequences in the resources.arsc Type String Pool to escape output directories and write to critical system files like ~/.ssh/config, ~/.bashrc, or Windows Startup folders, potentially escalating to remote code execution. The vulnerability has been fixed in version 3.0.2 by re-introducing proper path sanitization.