CVE-2025-70952 in pf4j
Summary
by MITRE • 03/25/2026
pf4j before 20c2f80 has a path traversal vulnerability in the extract() function of Unzip.java, where improper handling of zip entry names can allow directory traversal or Zip Slip attacks, due to a lack of proper path normalization and validation.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/01/2026
The vulnerability identified as CVE-2025-70952 affects the pf4j library version prior to commit 20c2f80, specifically within the Unzip.java file's extract() function. This represents a critical security flaw that enables attackers to perform directory traversal or Zip Slip attacks through improper handling of zip entry names. The vulnerability stems from inadequate path validation and normalization mechanisms that fail to properly sanitize file paths contained within zip archives. When processing zip files, the library does not adequately verify or sanitize the paths of individual entries before extracting them to the filesystem, creating opportunities for malicious actors to manipulate the extraction process.
The technical implementation of this vulnerability occurs when the extract() function processes zip entries without validating whether the entry names contain directory traversal sequences such as ../ or ..\ that could cause files to be extracted outside of the intended target directory. This flaw directly maps to CWE-22, which describes improper limitation of a pathname to a restricted directory, commonly known as path traversal or directory traversal attacks. The vulnerability allows adversaries to write files to arbitrary locations on the filesystem, potentially leading to privilege escalation, code execution, or system compromise. The lack of proper path normalization means that even if zip entries contain malicious path sequences, the system does not properly resolve or sanitize these paths before extraction occurs.
From an operational perspective, this vulnerability poses significant risks to systems that utilize pf4j for plugin management or dynamic module loading. Attackers could exploit this weakness by crafting malicious zip archives containing specially crafted file paths that, when processed by the vulnerable library, would extract files to sensitive system locations. The impact extends beyond simple file overwrite operations, as successful exploitation could lead to remote code execution if the extracted files are executable or if they overwrite critical system components. This vulnerability particularly affects applications that automatically download and extract third-party plugins or modules from untrusted sources, making it a prime target for supply chain attacks.
The mitigation strategies for CVE-2025-70952 primarily involve upgrading to the fixed version of pf4j that includes proper path validation and normalization. Organizations should implement strict input validation for all zip file processing operations, ensuring that zip entry names are sanitized before extraction occurs. This includes implementing proper path normalization routines that resolve relative paths and reject entries containing directory traversal sequences. Security controls should also include monitoring for unusual file extraction patterns and implementing least privilege principles for applications that process zip files. Additionally, organizations should consider implementing sandboxing or containerization for zip file processing operations to limit the potential impact of any successful exploitation attempts. The vulnerability aligns with ATT&CK technique T1059.007 for execution through scripting and T1505.003 for server-side includes, emphasizing the need for comprehensive security controls around file processing operations.