Description
pf4j before 20c2f80 has a path traversal vulnerability in the extract() function of Unzip.java, where improper handling of zip entry names can allow directory traversal or Zip Slip attacks, due to a lack of proper path normalization and validation.
Published: 2026-03-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Directory Traversal
Action: Patch Now
AI Analysis

Impact

pf4j versions before commit 20c2f800 contain a path‑traversal vulnerability in the Unzip.extract method. Improper handling of zip entry names allows a malicious archive to write files outside the intended extraction directory, potentially overwriting existing files or placing files in arbitrary locations. This weakness is identified as CWE‑22 and is quantified with a CVSS v3.1 score of 7.5, indicating high severity.

Affected Systems

The vulnerability affects all releases of the pf4j framework that use the Unzip helper prior to commit 20c2f800. Applications or services that employ pf4j for plugin or extension installation and rely on its unzip functionality for handling ZIP archives are at risk. Versions newer than this commit are not affected.

Risk and Exploitability

The EPSS score is below 1 %, and the vulnerability is not included in CISA’s KEV catalog, suggesting a low current exploitation probability. The likely attack vector is when an attacker can supply a malicious ZIP file to a component that invokes pf4j’s unzip logic, such as during plugin upload or extension installation. The exploit would require write access to the base extraction directory; success could allow modification of the file system as the application runs.

Generated by OpenCVE AI on April 2, 2026 at 05:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pf4j to a version containing commit 20c2f800 or newer.
  • If an upgrade is unavailable, add path validation to ensure extracted entry paths remain inside the intended directory before writing files.
  • Limit exposure by restricting which users or services can provide ZIP files to pf4j’s unzip functionality, and monitor logs for extraction attempts.

Generated by OpenCVE AI on April 2, 2026 at 05:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5458-7hh9-v7p4 pf4j is vulnerable to Path Traversal or Zip Slip attack through improper handling of zip entry names
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Path Traversal Leading to Zip Slip in pf4j Unzip Function

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Pf4j Project
Pf4j Project pf4j
CPEs cpe:2.3:a:pf4j_project:pf4j:*:*:*:*:*:*:*:*
Vendors & Products Pf4j Project
Pf4j Project pf4j

Mon, 30 Mar 2026 08:15:00 +0000

Type Values Removed Values Added
Title Path Traversal Leading to Zip Slip in pf4j Unzip Function

Sun, 29 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Title Path Traversal Vulnerability in PF4J Zip Extraction
Weaknesses CWE-20

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Title Path Traversal Vulnerability in PF4J Zip Extraction
Weaknesses CWE-20
CWE-22

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Title Path Traversal Vulnerability in PF4J Zip Extraction
Weaknesses CWE-22

Thu, 26 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
Title Path Traversal Vulnerability in PF4J Zip Extraction
Weaknesses CWE-22

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Title Pf4j Zip Extraction Path Traversal Allowing Zip Slip
Weaknesses CWE-22
CWE-36

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Pf4j
Pf4j pf4j
Vendors & Products Pf4j
Pf4j pf4j

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Title Pf4j Zip Extraction Path Traversal Allowing Zip Slip
Weaknesses CWE-22
CWE-36

Wed, 25 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description pf4j before 20c2f80 has a path traversal vulnerability in the extract() function of Unzip.java, where improper handling of zip entry names can allow directory traversal or Zip Slip attacks, due to a lack of proper path normalization and validation.
References

Subscriptions

Pf4j Pf4j
Pf4j Project Pf4j
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-28T01:20:21.432Z

Reserved: 2026-01-09T00:00:00.000Z

Link: CVE-2025-70952

cve-icon Vulnrichment

Updated: 2026-03-28T01:20:11.209Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T19:16:28.260

Modified: 2026-04-01T13:44:35.553

Link: CVE-2025-70952

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:59:21Z

Weaknesses