High severity8.8NVD Advisory· Published Mar 25, 2026· Updated May 1, 2026
CVE-2025-67030
CVE-2025-67030
Description
Directory Traversal vulnerability in the extractFile method of org.codehaus.plexus.util.Expand in plexus-utils before 6d780b3378829318ba5c2d29547e0012d5b29642. This allows an attacker to execute arbitrary code
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.codehaus.plexus:plexus-utilsMaven | >= 4.0.0, < 4.0.3 | 4.0.3 |
org.codehaus.plexus:plexus-utilsMaven | < 3.6.1 | 3.6.1 |
Affected products
48- osv-coords47 versionspkg:apk/chainguard/akhqpkg:apk/chainguard/apache-camel-karavan-devmodepkg:apk/chainguard/clojure-toolspkg:apk/chainguard/confluent-kafkapkg:apk/chainguard/confluent-kafka-jre-bcfipspkg:apk/chainguard/dependency-trackpkg:apk/chainguard/dependency-track-apiserverpkg:apk/chainguard/dependency-track-bundledpkg:apk/chainguard/druidpkg:apk/chainguard/gradle-8pkg:apk/chainguard/gradle-9pkg:apk/chainguard/gradle-stage0pkg:apk/chainguard/kafka-4.2pkg:apk/chainguard/kafka-fips-4.2pkg:apk/chainguard/leiningenpkg:apk/chainguard/maven-3.9pkg:apk/chainguard/maven-ecosystems-testpkg:apk/chainguard/maven-stage0pkg:apk/chainguard/wso2ispkg:apk/wolfi/akhqpkg:apk/wolfi/confluent-kafkapkg:apk/wolfi/dependency-trackpkg:apk/wolfi/dependency-track-bundledpkg:apk/wolfi/druidpkg:apk/wolfi/gradle-8pkg:apk/wolfi/gradle-9pkg:apk/wolfi/gradle-stage0pkg:apk/wolfi/kafka-4.2pkg:apk/wolfi/maven-3.9pkg:apk/wolfi/maven-stage0pkg:maven/org.codehaus.plexus/plexus-utilspkg:rpm/opensuse/plexus-utils&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/plexus-utils&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/plexus-utils&distro=openSUSE%20Tumbleweedpkg:rpm/suse/plexus-utils&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/plexus-utils&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/plexus-utils&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/plexus-utils&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/plexus-utils&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP7pkg:rpm/suse/plexus-utils&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/plexus-utils&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/plexus-utils&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP6-LTSSpkg:rpm/suse/plexus-utils&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/plexus-utils&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/plexus-utils&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/plexus-utils&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP6pkg:rpm/suse/plexus-utils&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
< 0.27.0-r1+ 46 more
- (no CPE)range: < 0.27.0-r1
- (no CPE)range: < 4.14.2-r6
- (no CPE)range: < 1.12.4.1629-r0
- (no CPE)range: < 8.4.0.11-r0
- (no CPE)range: < 8.4.0.11-r0
- (no CPE)range: < 4.14.0-r5
- (no CPE)range: < 4.14.0-r1
- (no CPE)range: < 4.14.0-r5
- (no CPE)range: < 37.0.0-r0
- (no CPE)range: < 8.14.4-r3
- (no CPE)range: < 9.4.1-r1
- (no CPE)range: < 8.0.1-r4
- (no CPE)range: < 4.2.0-r6
- (no CPE)range: < 4.2.1-r0
- (no CPE)range: < 2.12.0-r2
- (no CPE)range: < 3.9.14-r2
- (no CPE)range: < 3.9.15-r0
- (no CPE)range: < 3.9.12-r4
- (no CPE)range: < 7.3.0-r0
- (no CPE)range: < 0.27.0-r1
- (no CPE)range: < 8.4.0.11-r0
- (no CPE)range: < 4.14.0-r5
- (no CPE)range: < 4.14.0-r5
- (no CPE)range: < 37.0.0-r0
- (no CPE)range: < 8.14.4-r3
- (no CPE)range: < 9.4.1-r1
- (no CPE)range: < 8.0.1-r4
- (no CPE)range: < 4.2.0-r6
- (no CPE)range: < 3.9.14-r2
- (no CPE)range: < 3.9.12-r4
- (no CPE)range: >= 4.0.0, < 4.0.3
- (no CPE)range: < 4.0.2-150200.3.14.1
- (no CPE)range: < 4.0.2-160000.3.1
- (no CPE)range: < 4.0.2-2.1
- (no CPE)range: < 4.0.2-150200.3.14.1
- (no CPE)range: < 4.0.2-150200.3.14.1
- (no CPE)range: < 4.0.2-150200.3.14.1
- (no CPE)range: < 4.0.2-150200.3.14.1
- (no CPE)range: < 4.0.2-150200.3.14.1
- (no CPE)range: < 4.0.2-150200.3.14.1
- (no CPE)range: < 4.0.2-150200.3.14.1
- (no CPE)range: < 4.0.2-150200.3.14.1
- (no CPE)range: < 4.0.2-160000.3.1
- (no CPE)range: < 4.0.2-150200.3.14.1
- (no CPE)range: < 4.0.2-150200.3.14.1
- (no CPE)range: < 4.0.2-150200.3.14.1
- (no CPE)range: < 4.0.2-160000.3.1
Patches
Vulnerability mechanics
References
8- github.com/codehaus-plexus/plexus-utils/commit/6d780b3378829318ba5c2d29547e0012d5b29642nvdPatchWEB
- github.com/codehaus-plexus/plexus-utils/pull/295nvdIssue TrackingPatchWEB
- github.com/codehaus-plexus/plexus-utils/pull/296nvdIssue TrackingPatchWEB
- gist.github.com/weaver4VD/3216dac645220f8c9b488362f61241ecnvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-6fmv-xxpf-w3cwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-67030ghsaADVISORY
- github.com/codehaus-plexus/plexus-utils/issues/294nvdIssue TrackingWEB
- github.com/codehaus-plexus/plexus-utils/releases/tag/plexus-utils-4.0.3ghsaWEB
News mentions
0No linked articles in our index yet.