{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-67030", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-25T17:45:41.937Z", "dateReserved": "2025-12-08T00:00:00.000Z", "datePublished": "2026-03-25T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-25T17:45:41.937Z"}, "descriptions": [{"lang": "en", "value": "Directory Traversal vulnerability in the extractFile method of org.codehaus.plexus.util.Expand in plexus-utils before 6d780b3378829318ba5c2d29547e0012d5b29642. This allows an attacker to execute arbitrary code"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/codehaus-plexus/plexus-utils/pull/295"}, {"url": "https://github.com/codehaus-plexus/plexus-utils/issues/294"}, {"url": "https://github.com/codehaus-plexus/plexus-utils/commit/6d780b3378829318ba5c2d29547e0012d5b29642"}, {"url": "https://github.com/codehaus-plexus/plexus-utils/pull/296"}, {"url": "https://gist.github.com/weaver4VD/3216dac645220f8c9b488362f61241ec"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Directory Traversal vulnerability in the extractFile method of org.codehaus.plexus.util.Expand in plexus-utils before 6d780b3378829318ba5c2d29547e0012d5b29642. This allows an attacker to execute arbitrary code"}], "id": "CVE-2025-67030", "lastModified": "2026-03-25T18:16:25.880", "metrics": {}, "published": "2026-03-25T18:16:25.880", "references": [{"source": "cve@mitre.org", "url": "https://gist.github.com/weaver4VD/3216dac645220f8c9b488362f61241ec"}, {"source": "cve@mitre.org", "url": "https://github.com/codehaus-plexus/plexus-utils/commit/6d780b3378829318ba5c2d29547e0012d5b29642"}, {"source": "cve@mitre.org", "url": "https://github.com/codehaus-plexus/plexus-utils/issues/294"}, {"source": "cve@mitre.org", "url": "https://github.com/codehaus-plexus/plexus-utils/pull/295"}, {"source": "cve@mitre.org", "url": "https://github.com/codehaus-plexus/plexus-utils/pull/296"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received"}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T20:02:02.588326+00:00", "value": {"mitigation_remediation": ["Update plexus-utils to the fixed version 6d780b3378829318ba5c2d29547e0012d5b29642 or later", "Verify that no outdated versions remain in any dependent projects", "If updating is not immediately possible, disable or remove use of the extractFile method from the codebase", "Apply general file path validation to prevent directory traversal", "Ensure that any archive handling processes have strict boundaries and are isolated"], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The exposed component is the plexus-utils library, versions prior to commit 6d780b3378829318ba5c2d29547e0012d5b29642. Any application or environment that incorporates this library and uses the extractFile method is at risk. No additional vendor or product information was supplied. ", "description_and_impact": "A directory traversal flaw exists in the extractFile method of org.codehaus.plexus.util.Expand within the plexus-utils library. By supplying specially crafted paths, an attacker can cause the method to resolve files outside the intended extraction directory, enabling the execution of arbitrary code during the unpacking process. This flaw directly compromises the confidentiality, integrity, and availability of the affected system. The vulnerability is identified as a potential gateway for full system compromise. ", "risk_and_exploitability": "The flaw presents a high risk due to its remote code execution capability. Exploitation requires the attacker to create or supply a malicious archive that triggers the vulnerable extractFile method; once executed, arbitrary code runs under the privileges of the application. No CVSS or EPSS data is available, but because the issue leads directly to code execution, the likelihood of exploitation is considered significant. The vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector is via a crafted archive file processed by the affected component. "}}}}, "created": "2026-03-25T20:56:57.430844+00:00", "title": "Directory Traversal in Plexus Utils ExtractFile Leading to Arbitrary Code Execution", "updated": "2026-03-25T20:56:57.430878+00:00", "vendors": [], "weaknesses": ["CWE-22", "CWE-94"]}