{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-70952", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-25T18:34:46.661Z", "dateReserved": "2026-01-09T00:00:00.000Z", "datePublished": "2026-03-25T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-25T18:34:46.661Z"}, "descriptions": [{"lang": "en", "value": "pf4j before 20c2f80 has a path traversal vulnerability in the extract() function of Unzip.java, where improper handling of zip entry names can allow directory traversal or Zip Slip attacks, due to a lack of proper path normalization and validation."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/pf4j/pf4j/issues/618"}, {"url": "https://github.com/pf4j/pf4j/issues/623"}, {"url": "https://github.com/pf4j/pf4j/commit/20c2f80089d1ea779e22c2de5f109a0bce4e1b14"}, {"url": "https://gist.github.com/weaver4VD/410f23adb24ef5f5077f021f4393e705"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "pf4j before 20c2f80 has a path traversal vulnerability in the extract() function of Unzip.java, where improper handling of zip entry names can allow directory traversal or Zip Slip attacks, due to a lack of proper path normalization and validation."}], "id": "CVE-2025-70952", "lastModified": "2026-03-25T19:16:28.260", "metrics": {}, "published": "2026-03-25T19:16:28.260", "references": [{"source": "cve@mitre.org", "url": "https://gist.github.com/weaver4VD/410f23adb24ef5f5077f021f4393e705"}, {"source": "cve@mitre.org", "url": "https://github.com/pf4j/pf4j/commit/20c2f80089d1ea779e22c2de5f109a0bce4e1b14"}, {"source": "cve@mitre.org", "url": "https://github.com/pf4j/pf4j/issues/618"}, {"source": "cve@mitre.org", "url": "https://github.com/pf4j/pf4j/issues/623"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received"}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T20:02:21.426648+00:00", "value": {"mitigation_remediation": ["Update Pf4j to a version that includes the patch referenced in the commit 20c2f80 or later.", "If an immediate update is not feasible, replace the affected Unzip.java implementation with the corrected code that normalizes entry names and validates paths before extraction.", "As a temporary measure, limit the execution of zip extraction to a trusted environment, run the process with the minimum necessary privileges, and enforce strict directory whitelisting to prevent files from being written outside the intended location.", "Avoid accepting or processing untrusted zip archives until a proper patch is applied."], "summary": {"action": "Immediate Patch", "impact": "Remote code execution via directory traversal in zip extraction"}, "threat_synthesis": {"affected_systems": "Applications that incorporate the Pf4j plugin framework and are running a version prior to the commit identified by 20c2f80 are vulnerable. Pf4j is deployed in many Java\u2011based platforms that use dynamic plugin loading, so any environment that accepts user\u2011supplied zip modules without additional validation is impacted.", "description_and_impact": "The vulnerability arises from the Unzip.java extract function within the Pf4j library, which fails to properly normalize or validate zip entry names. When a malicious zip file is processed, the unchecked entry names can cause the extraction routine to write files outside the intended directory, enabling a classic Zip Slip attack. An attacker who can supply or influence a zip payload can thereby overwrite critical files or create arbitrary files, leading to potential integrity compromise, privilege escalation, and remote code execution on the host system.", "risk_and_exploitability": "No CVSS or EPSS data is available, but the nature of the flaw suggests medium to high severity for deployments that accept external zip files. The attack vector is local to the process executing the extraction routine; if this process is exposed via a network service, remote exploitation becomes viable. Because the vulnerability is library\u2011wide, whichever application ends up de\u2011compressing untrusted archives is at risk, making it broadly exploitable in real\u2011world scenarios."}}}}, "created": "2026-03-25T20:56:58.451015+00:00", "title": "Pf4j Zip Extraction Path Traversal Allowing Zip Slip", "updated": "2026-03-25T20:56:58.451043+00:00", "vendors": [], "weaknesses": ["CWE-22", "CWE-36"]}