Apktool versions 3.0.0 and 3.0.1 contain a path traversal vulnerability in the resource file decoding component (ResFileDecoder.java). The vulnerability arises from the removal of the BrutIO.sanitizePath() method call, which previously prevented directory traversal attacks during file extraction. An attacker can craft an APK with '../' sequences in the resources.arsc Type String Pool to escape the output directory and write arbitrary files to the filesystem, potentially leading to remote code execution by overwriting critical user files like ~/.ssh/config or ~/.bashrc. This security regression was introduced in December 2025 and fixed in version 3.0.2 by restoring the path sanitization.

Successful exploitation allows an attacker to write arbitrary files to arbitrary locations on the filesystem during APK decoding, which can lead to remote code execution if critical files are overwritten. The vulnerability compromises confidentiality and integrity but does not affect availability. The CVSS 3.1 vector indicates local attack vector with low complexity, no privileges required, user interaction required, unchanged scope, and high impact on confidentiality and integrity.

A fix is available in Apktool version 3.0.2, which reintroduces the path sanitization function to prevent path traversal. Users should upgrade to version 3.0.2 or later to remediate this vulnerability. Since this is not a cloud service, remediation requires updating the local software installation. No vendor advisory content was provided to indicate alternative mitigations or temporary fixes.