Apktool versions 3.0.0 and 3.0.1 contain a path traversal vulnerability in the resource file decoding component (ResFileDecoder.java). The vulnerability arose from the removal of the BrutIO.sanitizePath() function, which previously prevented directory traversal attacks. An attacker can craft an APK with '../' sequences in the resources.arsc Type String Pool, causing the tool to write files outside the intended output directory during the 'apktool d' decode operation. This can lead to arbitrary file writes to sensitive locations such as ~/.ssh/config or ~/.bashrc, potentially enabling remote code execution. The issue was corrected in version 3.0.2 by restoring the path sanitization call before file writes.

Successful exploitation allows an attacker with the ability to decode a malicious APK using vulnerable Apktool versions to write arbitrary files to arbitrary locations on the filesystem. This can lead to overwriting critical user files, such as SSH configuration or shell startup scripts, which may escalate to remote code execution under the victim's user context. The vulnerability does not affect Apktool versions prior to 3.0.0 or versions 3.0.2 and later. No known exploits have been reported in the wild to date.

Users should upgrade to Apktool version 3.0.2 or later, where the path traversal vulnerability is fixed by reintroducing the path sanitization function. Until upgrading, avoid decoding untrusted APK files with vulnerable versions 3.0.0 and 3.0.1. Patch status is confirmed by the vendor's fix in version 3.0.2. No additional mitigations are indicated by the vendor advisory.