CVE-2025-70952
Path Traversal in pf4j Unzip.java Enables Zip Slip Attack
Publication date: 2026-03-25
Last updated on: 2026-04-01
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pf4j_project | pf4j | to 3.14.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-70952 is a path traversal vulnerability in the pf4j library's extract() function within Unzip.java. The vulnerability arises because the code improperly handles zip entry names when extracting files from ZIP archives. Specifically, it uses a string-based startsWith() check on canonical paths to validate extracted file locations, which can be bypassed by crafted ZIP entries.
Attackers can exploit this flaw to perform directory traversal or Zip Slip attacks, allowing them to write files outside the intended extraction directory. This happens because the validation does not properly normalize or resolve paths, so malicious entries like '../' sequences or symbolic links can escape the target directory.
The issue was fixed by replacing the string prefix validation with robust path validation using Java NIO Path API, which normalizes and resolves paths before checking if the extracted file is within the destination directory.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to write arbitrary files outside the intended extraction directory when processing ZIP files using the vulnerable pf4j library. This can lead to unauthorized file overwrites, potentially modifying or replacing critical system or application files.
Such unauthorized file writes can result in system compromise, data corruption, or execution of malicious code if executable files are overwritten or placed in sensitive locations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from improper handling of zip entry names during ZIP extraction, allowing directory traversal or Zip Slip attacks. Detection involves inspecting ZIP files for malicious entries that attempt to escape the intended extraction directory using relative paths like ".." or crafted paths that bypass naive string prefix checks.
To detect exploitation attempts or vulnerable behavior on your system, you can:
- Manually inspect ZIP files before extraction for entries containing relative paths (e.g., '../') or suspicious path components.
- Use commands to list ZIP contents and look for suspicious entries, for example:
- On Linux/Unix systems, use: `unzip -l suspicious.zip` or `zipinfo suspicious.zip` to list entries.
- Search for entries with '..' or absolute paths using grep: `unzip -l suspicious.zip | grep '\.\.'`
- Monitor application logs or error messages for exceptions related to ZIP extraction, such as ZipException indicating attempts to write outside the target directory.
Since the vulnerability is in the pf4j library's extract() function, reviewing application code or logs that use this library for ZIP extraction can help detect attempts or failures due to path traversal.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediate steps include:
- Update pf4j to a version including the fix from commit 20c2f80089d1ea779e22c2de5f109a0bce4e1b14 or later, which replaces insecure string prefix path validation with robust path normalization and validation using Java NIO Path API.
- Ensure that ZIP extraction code uses normalized, absolute, and real paths for both the destination directory and extracted files, and verifies that extracted files do not escape the intended directory.
- Implement or verify that the extraction logic throws exceptions (e.g., ZipException) when an extracted file path is outside the target directory.
- Avoid using vulnerable versions of pf4j in production environments until patched.
These steps prevent directory traversal and Zip Slip attacks by ensuring that malicious ZIP entries cannot write files outside the intended extraction directory.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in pf4j allows directory traversal or Zip Slip attacks during ZIP file extraction, which can lead to arbitrary file writes outside the intended directory.
Such unauthorized file writes could potentially result in unauthorized access, modification, or deletion of sensitive data.
This risk may impact compliance with data protection standards and regulations like GDPR or HIPAA, which require safeguarding sensitive data against unauthorized access or alteration.
However, the provided information does not explicitly discuss compliance implications or specific regulatory impacts.