A directory‑traversal flaw exists in the file extraction routine of the PlexusUtils library. When an attacker supplies a specifically crafted archive, the library writes files outside the intended destination directory, allowing arbitrary files to be created or overwritten. This capability enables execution of arbitrary code on the host system and at the very most can compromise confidentiality, integrity, and availability of the machine that performs the extraction.

Any Java application that relies on PlexusUtils versions before the commit identified by 6d780b3378829318ba5c2d29547e0012d5b29642 is susceptible. This includes popular build tools, continuous‑integration platforms, integrated development environments, and other software that performs archive extraction without additional safeguards.

The vulnerability carries a CVSS score of 8.8, signalling high severity, while the EPSS score of less than one percent suggests that exploitation attempts have not been widely observed yet. The flaw is not recorded in the CISA Known Exploited Vulnerabilities catalog. Attackers can target services that accept untrusted archives from external sources; in local contexts, a user with the ability to supply an archive to an application can also trigger the flaw.