There exists a code execution vulnerability in the Car App Android Jetpack Library. CarAppService uses deserialization logic that allows construction of arbitrary java classes. This can lead to arbitrary code execution when combined with specific Java deserialization gadgets. An attacker needs to install a malicious application on victims device to be able to attack any application that uses vulnerable library. We recommend upgrading the library past version 1.7.0-beta02.
References
| Link | Resource |
|---|---|
| https://developer.android.com/jetpack/androidx/releases/car-app#1.7.0-beta03 | Release Notes |
Configurations
Configuration 1 (hide)
|
History
04 Aug 2025, 14:11
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Google androidx.car.app
|
|
| CPE | cpe:2.3:a:google:car:1.7.0:beta01:*:*:*:*:*:* cpe:2.3:a:google:car:*:*:*:*:*:*:*:* cpe:2.3:a:google:car:1.7.0:alpha01:*:*:*:*:*:* |
cpe:2.3:a:google:androidx.car.app:1.7.0:beta01:*:*:*:*:*:* cpe:2.3:a:google:androidx.car.app:1.7.0:alpha02:*:*:*:*:*:* cpe:2.3:a:google:androidx.car.app:1.7.0:alpha01:*:*:*:*:*:* cpe:2.3:a:google:androidx.car.app:*:*:*:*:*:*:*:* |
29 Jul 2025, 18:17
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:google:car:1.7.0:alpha02:*:*:*:*:*:* cpe:2.3:a:google:car:1.7.0:alpha01:*:*:*:*:*:* cpe:2.3:a:google:car:1.7.0:beta01:*:*:*:*:*:* cpe:2.3:a:google:car:*:*:*:*:*:*:*:* |
|
| References | () https://developer.android.com/jetpack/androidx/releases/car-app#1.7.0-beta03 - Release Notes | |
| First Time |
Google car
|
Information
Published : 2024-11-20 11:15
Updated : 2025-08-04 14:11
NVD link : CVE-2024-10382
Mitre link : CVE-2024-10382
CVE.ORG link : CVE-2024-10382
JSON object : View
Products Affected
- androidx.car.app