VDB
CVE-2025-70952
CVE-2025-70952
PUBLISHED
CVSS 7.5 HIGH
pf4j before 20c2f80 has a path traversal vulnerability in the extract() function of Unzip.java, where improper handling of zip entry names can allow directory traversal or Zip Slip attacks, due to a lack of proper path normalization and validation.
EPSS 0.46% · 64.4th percentile
Risk Scores
CVSS v3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score
0.46%
64.4th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| n/a | n/a | n/a, *, n/a |
| Maven | org.pf4j:pf4j | 0, 0, 0 |
Timeline
- Mar 25, 2026 CVE Published
- Mar 25, 2026 PoC Published
- Mar 26, 2026 Coalition ESS Score
- Mar 27, 2026 CVE Updated
- Mar 28, 2026 Security Advisory
- May 18, 2026 EPSS Score
- May 19, 2026 EPSS Score
- May 20, 2026 EPSS Score
- May 21, 2026 EPSS Score
- May 22, 2026 EPSS Score
- May 23, 2026 EPSS Score
- May 24, 2026 EPSS Score
References
- https://github.com/pf4j/pf4j/issues/618 url
- https://github.com/pf4j/pf4j/issues/623 url
- https://github.com/pf4j/pf4j/commit/20c2f80089d1ea779e22c2de5f109a0bce4e1b14 url
- https://gist.github.com/weaver4VD/410f23adb24ef5f5077f021f4393e705 url
- https://nvd.nist.gov/vuln/detail/CVE-2025-70952 advisory
- https://github.com/pf4j/pf4j package