CVE-2025-70952
Received Received - Intake
Path Traversal in pf4j Unzip.java Enables Zip Slip Attack

Publication date: 2026-03-25

Last updated on: 2026-04-01

Assigner: MITRE

Description
pf4j before 20c2f80 has a path traversal vulnerability in the extract() function of Unzip.java, where improper handling of zip entry names can allow directory traversal or Zip Slip attacks, due to a lack of proper path normalization and validation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-01
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-15
NVD
CVE-2025-70952
EUVD
EUVD-2025-209006
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pf4j_project pf4j to 3.14.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-70952 is a path traversal vulnerability in the pf4j library's extract() function within Unzip.java. The vulnerability arises because the code improperly handles zip entry names when extracting files from ZIP archives. Specifically, it uses a string-based startsWith() check on canonical paths to validate extracted file locations, which can be bypassed by crafted ZIP entries.

Attackers can exploit this flaw to perform directory traversal or Zip Slip attacks, allowing them to write files outside the intended extraction directory. This happens because the validation does not properly normalize or resolve paths, so malicious entries like '../' sequences or symbolic links can escape the target directory.

The issue was fixed by replacing the string prefix validation with robust path validation using Java NIO Path API, which normalizes and resolves paths before checking if the extracted file is within the destination directory.

Impact Analysis

This vulnerability can allow an attacker to write arbitrary files outside the intended extraction directory when processing ZIP files using the vulnerable pf4j library. This can lead to unauthorized file overwrites, potentially modifying or replacing critical system or application files.

Such unauthorized file writes can result in system compromise, data corruption, or execution of malicious code if executable files are overwritten or placed in sensitive locations.

Detection Guidance

This vulnerability arises from improper handling of zip entry names during ZIP extraction, allowing directory traversal or Zip Slip attacks. Detection involves inspecting ZIP files for malicious entries that attempt to escape the intended extraction directory using relative paths like ".." or crafted paths that bypass naive string prefix checks.

To detect exploitation attempts or vulnerable behavior on your system, you can:

  • Manually inspect ZIP files before extraction for entries containing relative paths (e.g., '../') or suspicious path components.
  • Use commands to list ZIP contents and look for suspicious entries, for example:
  • On Linux/Unix systems, use: `unzip -l suspicious.zip` or `zipinfo suspicious.zip` to list entries.
  • Search for entries with '..' or absolute paths using grep: `unzip -l suspicious.zip | grep '\.\.'`
  • Monitor application logs or error messages for exceptions related to ZIP extraction, such as ZipException indicating attempts to write outside the target directory.

Since the vulnerability is in the pf4j library's extract() function, reviewing application code or logs that use this library for ZIP extraction can help detect attempts or failures due to path traversal.

Mitigation Strategies

To mitigate this vulnerability, immediate steps include:

  • Update pf4j to a version including the fix from commit 20c2f80089d1ea779e22c2de5f109a0bce4e1b14 or later, which replaces insecure string prefix path validation with robust path normalization and validation using Java NIO Path API.
  • Ensure that ZIP extraction code uses normalized, absolute, and real paths for both the destination directory and extracted files, and verifies that extracted files do not escape the intended directory.
  • Implement or verify that the extraction logic throws exceptions (e.g., ZipException) when an extracted file path is outside the target directory.
  • Avoid using vulnerable versions of pf4j in production environments until patched.

These steps prevent directory traversal and Zip Slip attacks by ensuring that malicious ZIP entries cannot write files outside the intended extraction directory.

Compliance Impact

The vulnerability in pf4j allows directory traversal or Zip Slip attacks during ZIP file extraction, which can lead to arbitrary file writes outside the intended directory.

Such unauthorized file writes could potentially result in unauthorized access, modification, or deletion of sensitive data.

This risk may impact compliance with data protection standards and regulations like GDPR or HIPAA, which require safeguarding sensitive data against unauthorized access or alteration.

However, the provided information does not explicitly discuss compliance implications or specific regulatory impacts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-70952. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart