CVE-2025-67030
Directory Traversal in plexus-utils Expand Allows Code Execution
Publication date: 2026-03-25
Last updated on: 2026-05-01
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| codehaus-plexus | plexus-utils | to 3.6.1 (exc) |
| codehaus-plexus | plexus-utils | From 4.0.0 (inc) to 4.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-67030 is a directory traversal vulnerability found in the extractFile method of the org.codehaus.plexus.util.Expand class within the plexus-utils library. The vulnerability arises because the method attempts to prevent path traversal attacks by checking if the absolute path of a file to be extracted starts with the absolute path of the target directory using a simple string prefix check. However, this check is flawed because it does not use canonical paths, which resolve symbolic links and normalize paths.
Due to this, attackers can craft archive entries with paths that appear to be inside the target directory based on string prefix matching but actually point outside it, exploiting symbolic links, case differences, or redundant path elements. This allows unauthorized file extraction outside the intended directory, leading to potential arbitrary code execution.
The root cause is the lack of canonicalization before the path prefix check, making the defense prone to bypasses and enabling directory traversal attacks.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to write files outside the intended extraction directory during archive extraction. By exploiting the directory traversal flaw, an attacker can overwrite arbitrary files within the user's permission scope.
Such unauthorized file writes can lead to several impacts including:
- Overwriting critical system or application files, potentially causing denial of service or application malfunction.
- Writing malicious files that could be executed later, leading to arbitrary code execution and full system compromise.
- Escalation of privileges if the attacker can place files in sensitive locations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The CVE-2025-67030 vulnerability is a directory traversal flaw in the extractFile method of the plexus-utils library, which can be detected by analyzing archive extraction behavior for attempts to write files outside the intended extraction directory.
Detection involves monitoring for suspicious archive entries that contain path traversal sequences such as '../' or absolute paths that attempt to escape the target directory.
Since the vulnerability arises from improper path validation, you can detect exploitation attempts by checking extracted files for unexpected locations outside the extraction directory.
Suggested commands to detect potential exploitation attempts include:
- Using 'find' to locate files created outside the expected extraction directory, for example: find /target/extract/ -type f ! -path '/target/extract/*'
- Monitoring archive extraction logs or enabling verbose logging in applications using plexus-utils to detect exceptions or errors related to path validation failures.
- Using file integrity monitoring tools to detect unexpected file creations or modifications outside designated directories.
Additionally, reviewing source code or binaries for usage of the vulnerable extractFile method without the canonical path validation fix can help identify vulnerable systems.
What immediate steps should I take to mitigate this vulnerability?
To mitigate CVE-2025-67030, immediately update the plexus-utils library to a version that includes the fix identified by commit 6d780b3378829318ba5c2d29547e0012d5b29642 or later.
The fix involves validating extracted file paths using canonical paths rather than absolute paths, preventing directory traversal attacks.
- Apply the patch or upgrade to a version where the extractFile method uses canonical path checks to ensure extracted files remain within the target directory.
- If upgrading immediately is not possible, implement additional validation in your application to reject archive entries with path traversal sequences or absolute paths before extraction.
- Restrict permissions of the user or process performing archive extraction to limit potential damage from exploitation.
- Monitor extraction processes and logs for suspicious activity or errors indicating path validation failures.
Following these steps will prevent attackers from exploiting the directory traversal vulnerability to write files outside the intended extraction directory and potentially execute arbitrary code.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2025-67030 vulnerability allows directory traversal attacks that can lead to arbitrary file overwrites outside the intended extraction directory. This can enable attackers to write malicious files to sensitive locations or escalate privileges.
Such unauthorized file access and potential arbitrary code execution could result in unauthorized disclosure, modification, or destruction of sensitive data, which may violate data protection requirements under standards like GDPR and HIPAA.
Therefore, systems using vulnerable versions of plexus-utils may fail to comply with security controls mandated by these regulations, which require protection against unauthorized access and integrity violations of sensitive information.