CVE-2025-70952

HIGH7.5

pf4j before 20c2f80 has a path traversal vulnerability in the extract() function of Unzip

Published Mar 25, 2026

Modified 1 months ago

Details

pf4j before 20c2f80 has a path traversal vulnerability in the extract() function of Unzip.java, where improper handling of zip entry names can allow directory traversal or Zip Slip attacks, due to a lack of proper path normalization and validation.

References

WEB

https://gist.github.com/weaver4VD/410f23adb24ef5f5077f021f4393e705

WEB

https://github.com/pf4j/pf4j/commit/20c2f80089d1ea779e22c2de5f109a0bce4e1b14

WEB

https://github.com/pf4j/pf4j/issues/618

WEB

https://github.com/pf4j/pf4j/issues/623

ADVISORY

https://www.cve.org/CVERecord?id=CVE-2025-70952

CVSS Analysis

CVSS v3.1

7.5

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

UnchangedS:U

Impact

Confidentiality

NoneC:N

Integrity

NoneI:N

Availability

HighA:H

7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Ecosystems

Timeline

PublishedMar 25, 2026

ModifiedMar 28, 2026