High severity7.5NVD Advisory· Published Mar 25, 2026· Updated Apr 1, 2026
CVE-2025-70952
CVE-2025-70952
Description
pf4j before 20c2f80 has a path traversal vulnerability in the extract() function of Unzip.java, where improper handling of zip entry names can allow directory traversal or Zip Slip attacks, due to a lack of proper path normalization and validation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.pf4j:pf4jMaven | < 3.14.1 | 3.14.1 |
Affected products
14- osv-coords13 versionspkg:apk/chainguard/kayenta-2025.0pkg:apk/chainguard/kayenta-2025.1pkg:apk/chainguard/kayenta-2025.2pkg:apk/chainguard/kayenta-2025.4pkg:apk/chainguard/kayenta-2026.0pkg:apk/chainguard/kayenta-fips-2025.0pkg:apk/chainguard/kayenta-fips-2025.1pkg:apk/chainguard/kayenta-fips-2025.2pkg:apk/chainguard/kayenta-fips-2025.4pkg:apk/chainguard/kayenta-fips-2026.0pkg:apk/chainguard/nextflowpkg:apk/wolfi/nextflowpkg:maven/org.pf4j/pf4j
< 2025.0.8-r10+ 12 more
- (no CPE)range: < 2025.0.8-r10
- (no CPE)range: < 2025.1.6-r8
- (no CPE)range: < 2025.2.4-r4
- (no CPE)range: < 2025.4.3-r5
- (no CPE)range: < 2026.0.2-r5
- (no CPE)range: < 2025.0.8-r12
- (no CPE)range: < 2025.1.6-r9
- (no CPE)range: < 2025.2.4-r5
- (no CPE)range: < 2025.4.3-r6
- (no CPE)range: < 2026.0.2-r6
- (no CPE)range: < 25.10.4-r2
- (no CPE)range: < 25.10.4-r2
- (no CPE)range: < 3.14.1
Patches
Vulnerability mechanics
References
6- github.com/pf4j/pf4j/commit/20c2f80089d1ea779e22c2de5f109a0bce4e1b14nvdPatchWEB
- github.com/pf4j/pf4j/issues/623nvdExploitIssue TrackingThird Party AdvisoryWEB
- gist.github.com/weaver4VD/410f23adb24ef5f5077f021f4393e705nvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-5458-7hh9-v7p4ghsaADVISORY
- github.com/pf4j/pf4j/issues/618nvdIssue TrackingThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-70952ghsaADVISORY
News mentions
0No linked articles in our index yet.