CVE-2025-70952

Опубликовано: 25 мар. 2026

Источник: nvd

CVSS3: 7.5

EPSS Низкий

Описание

pf4j before 20c2f80 has a path traversal vulnerability in the extract() function of Unzip.java, where improper handling of zip entry names can allow directory traversal or Zip Slip attacks, due to a lack of proper path normalization and validation.

Ссылки

https://gist.github.com/weaver4VD/410f23adb24ef5f5077f021f4393e705
Third Party Advisory
https://github.com/pf4j/pf4j/commit/20c2f80089d1ea779e22c2de5f109a0bce4e1b14
Patch
https://github.com/pf4j/pf4j/issues/618
Issue Tracking
Third Party Advisory
https://github.com/pf4j/pf4j/issues/623
Exploit
Issue Tracking
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:pf4j_project:pf4j:*:*:*:*:*:*:*:*

Версия до 3.14.1 (исключая)

EPSS

Процентиль: 52%

0.00287

Низкий

7.5 High

CVSS3

Дефекты

CWE-22

Связанные уязвимости

CVE-2025-70952

CVSS3: 7.5

ubuntu

14 дней назад

CVE-2025-70952

CVSS3: 7.5

debian

14 дней назад

pf4j before 20c2f80 has a path traversal vulnerability in the extract( ...

GHSA-5458-7hh9-v7p4

github

14 дней назад

pf4j is vulnerable to Path Traversal or Zip Slip attack through improper handling of zip entry names

EPSS

Процентиль: 52%

0.00287

Низкий

7.5 High

CVSS3

Дефекты

CWE-22