CVE-2025-70952

HIGH

pf4j <3.14.1 - Path Traversal

Title source: llm

Description

pf4j before 20c2f80 has a path traversal vulnerability in the extract() function of Unzip.java, where improper handling of zip entry names can allow directory traversal or Zip Slip attacks, due to a lack of proper path normalization and validation.

References (4)

https://github.com/pf4j/pf4j/issues/618

https://github.com/pf4j/pf4j/issues/623

https://github.com/pf4j/pf4j/commit/20c2f80089d1ea779e22c2de5f109a0bce4e1b14

View Patch ZIP pw:eip

https://gist.github.com/weaver4VD/410f23adb24ef5f5077f021f4393e705

Scores

CVSS v3 7.5

EPSS 0.0031

EPSS Percentile 54.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (2)

org.pf4j/pf4j 0 - 3.14.1Maven

pf4j_project/pf4j < 3.14.1

Published Mar 25, 2026

Tracked Since Mar 26, 2026