CVE-2025-70952 - Vulnerability Details

pf4j before 20c2f80 has a path traversal vulnerability in the extract() function of Unzip.java, where improper handling of zip entry names can allow directory traversal or Zip Slip attacks, due to a lack of proper path normalization and validation.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

References

Link	Providers
https://gist.github.com/weaver4VD/410f23adb24ef5f5077f021f4393e705
https://github.com/pf4j/pf4j/commit/20c2f80089d1ea779e22c2de5f109a0bce4e1b14
https://github.com/pf4j/pf4j/issues/618
https://github.com/pf4j/pf4j/issues/623

History

Wed, 25 Mar 2026 18:45:00 +0000

Type	Values Removed	Values Added
Description		pf4j before 20c2f80 has a path traversal vulnerability in the extract() function of Unzip.java, where improper handling of zip entry names can allow directory traversal or Zip Slip attacks, due to a lack of proper path normalization and validation.
References		https://gist.github.com/weaver4VD/410f23adb24ef5f5077f021f4393e705 https://github.com/pf4j/pf4j/commit/20c2f80089d1ea779e22c2de5f109a0bce4e1b14 https://github.com/pf4j/pf4j/issues/618 https://github.com/pf4j/pf4j/issues/623

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-03-25T00:00:00.000Z

Updated: 2026-03-25T18:34:46.661Z

Reserved: 2026-01-09T00:00:00.000Z

Link: CVE-2025-70952

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-03-25T19:16:28.260

Modified: 2026-03-25T19:16:28.260

Link: CVE-2025-70952

Redhat

No data.

OpenCVE Enrichment

No data.

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object