{"id":"CVE-2024-32653","summary":"Insufficient input filtering of \"package name\" allows command execution in the device with shell privileges","details":"jadx is a  Dex to Java decompiler. Prior to version 1.5.0,  the package name is not filtered before concatenation. This can be exploited to inject arbitrary code into the package name. The vulnerability allows an attacker to execute commands with shell privileges. Version 1.5.0 contains a patch for the vulnerability.","aliases":["GHSA-3pp3-hg2q-9gpm"],"modified":"2026-04-12T09:49:34.267400Z","published":"2024-04-22T22:13:47.917Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/32xxx/CVE-2024-32653.json","cwe_ids":["CWE-20"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/skylot/jadx/blob/9114821fb12558874e01421bf38b0d34fb39df72/jadx-gui/src/main/java/jadx/gui/device/protocol/ADBDevice.java#L108-L109"},{"type":"WEB","url":"https://github.com/skylot/jadx/releases/tag/v1.5.0"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/32xxx/CVE-2024-32653.json"},{"type":"ADVISORY","url":"https://github.com/skylot/jadx/security/advisories/GHSA-3pp3-hg2q-9gpm"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-32653"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/skylot/jadx","events":[{"introduced":"0"},{"fixed":"f2ea6415c9228523eab1be4b1359eef43ba64372"}]},{"type":"GIT","repo":"https://github.com/skylot/jadx","events":[{"introduced":"0"},{"fixed":"f2ea6415c9228523eab1be4b1359eef43ba64372"}]}],"versions":["v0.4","v0.4.1","v0.5.0","v0.5.0-beta1","v0.5.1","v0.5.2","v0.5.4","v0.6.0","v0.6.1","v0.7.1","v0.8.0","v0.9.0","v1.0.0","v1.1.0","v1.2.0","v1.3.0","v1.3.1","v1.3.2","v1.3.3","v1.3.4","v1.3.5","v1.4.0","v1.4.1","v1.4.2","v1.4.3","v1.4.4","v1.4.5","v1.4.6","v1.4.7"],"database_specific":{"vanir_signatures_modified":"2026-04-12T09:49:34Z","vanir_signatures":[{"digest":{"function_hash":"103332005780533498053202047657284946383","length":576},"deprecated":false,"source":"https://github.com/skylot/jadx/commit/f2ea6415c9228523eab1be4b1359eef43ba64372","target":{"function":"convert","file":"jadx-cli/src/main/java/jadx/cli/JadxCLIArgs.java"},"signature_type":"Function","signature_version":"v1","id":"CVE-2024-32653-3a47a040"},{"digest":{"threshold":0.9,"line_hashes":["250637368918785046625410560880765188779","7252600086920650372968659098519645565","144793756495931796042885902937111395498","261144168825223628569520614120628478196","83761355464769585620012853448469428495","120723116044373101633259002554038197782","39464023663414599673678320343297654558","98871669464052845022328525115937547035"]},"deprecated":false,"source":"https://github.com/skylot/jadx/commit/f2ea6415c9228523eab1be4b1359eef43ba64372","target":{"file":"jadx-cli/src/test/java/jadx/cli/RenameConverterTest.java"},"signature_type":"Line","signature_version":"v1","id":"CVE-2024-32653-3b578363"},{"digest":{"threshold":0.9,"line_hashes":["20537953357456439250910846448683778345","7096123205660409183417849417568860720","96954985714700598378976566482877115575","39854674653382625947615415329816658001","290559545559816069669234325474746285563","277190575908414465107584428140244358007","46464984257681181023020213419035113746","287567383877182882503980440280953610132"]},"deprecated":false,"source":"https://github.com/skylot/jadx/commit/f2ea6415c9228523eab1be4b1359eef43ba64372","target":{"file":"jadx-cli/src/main/java/jadx/cli/JadxCLICommands.java"},"signature_type":"Line","signature_version":"v1","id":"CVE-2024-32653-73daa004"},{"digest":{"threshold":0.9,"line_hashes":["190966953002946820870420510531712031543","271447210304827912765075474722486803770","259099364127355780637621982524423470199","302801398567201482209115576787348298486","2963432239078499187101947698940894873","281621488402717623883069330312814761454","275454440091137056533497274518767199913","204988106270154516999805707512883178097","175592763254026098853518323110504800497"]},"deprecated":false,"source":"https://github.com/skylot/jadx/commit/f2ea6415c9228523eab1be4b1359eef43ba64372","target":{"file":"jadx-core/src/main/java/jadx/api/JadxArgsValidator.java"},"signature_type":"Line","signature_version":"v1","id":"CVE-2024-32653-74da3958"},{"digest":{"threshold":0.9,"line_hashes":["137204616384404342027926792353629800377","3241326883155677807951827821037059810","188298616503292654115192433071675389800","191282993507288051734599875402933779164","150015992258766932401596824491651738884","237798945000181770647326591347326535398","222848250393397233818593450026311684550","332900388282048279410310657818520640835","210581767547967470289898255654576521784","239926726042084735588900126198339024792","75759002193508882975936402069413130017","194195066808167767012309963505099825311","44047918895801167108319068940090348663","138536888287417038914966841503882253475","7131003659886175077169702421365818560"]},"deprecated":false,"source":"https://github.com/skylot/jadx/commit/f2ea6415c9228523eab1be4b1359eef43ba64372","target":{"file":"jadx-cli/src/main/java/jadx/cli/SingleClassMode.java"},"signature_type":"Line","signature_version":"v1","id":"CVE-2024-32653-7648627c"},{"digest":{"threshold":0.9,"line_hashes":["202110388986604940098377668846947655428","173846499568810642491947689134923832377","205847779880972046005754017607891505521","197896076323384601140362263896571775314","153563064628603188722224799519559922928","87211665690073308573144778482696170900","281670684895734357339333826022753421197","313420770862680557202955623703232963668","27506009619698880069222287785187799681","104431123535916616271900162889196289233","256079628039966957860243629213613763415","340232425616005986830086855212366535252","254133839521555363248645796933455969022","320067241860448592161369803268465550686","105135349804760838859480469610730392589","262082582965922386148322060664549681255","186859121843077960596243229601395366476","237955636984308362775916901870579087182","65053460758726453995904699826287897576","251644764731833924781670464890815721758","313973414378460246405946024471849306743","113885136727021211919852471355583849089","219991581445494029373715002850857496159","104974998570651180131120574819054181254"]},"deprecated":false,"source":"https://github.com/skylot/jadx/commit/f2ea6415c9228523eab1be4b1359eef43ba64372","target":{"file":"jadx-cli/src/main/java/jadx/cli/JadxCLIArgs.java"},"signature_type":"Line","signature_version":"v1","id":"CVE-2024-32653-89bebf8d"},{"digest":{"function_hash":"201810337535445650311785320384603942366","length":414},"deprecated":false,"source":"https://github.com/skylot/jadx/commit/f2ea6415c9228523eab1be4b1359eef43ba64372","target":{"function":"checkInputFiles","file":"jadx-core/src/main/java/jadx/api/JadxArgsValidator.java"},"signature_type":"Function","signature_version":"v1","id":"CVE-2024-32653-af0cc8e4"},{"digest":{"function_hash":"16049464319790080133363630192845134617","length":289},"deprecated":false,"source":"https://github.com/skylot/jadx/commit/f2ea6415c9228523eab1be4b1359eef43ba64372","target":{"function":"process","file":"jadx-cli/src/main/java/jadx/cli/JadxCLICommands.java"},"signature_type":"Function","signature_version":"v1","id":"CVE-2024-32653-e428e235"},{"digest":{"function_hash":"329689926234255463177404867691350707286","length":536},"deprecated":false,"source":"https://github.com/skylot/jadx/commit/f2ea6415c9228523eab1be4b1359eef43ba64372","target":{"function":"process","file":"jadx-cli/src/main/java/jadx/cli/JadxCLIArgs.java"},"signature_type":"Function","signature_version":"v1","id":"CVE-2024-32653-e8f489a3"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-32653.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H"}]}