Skip to content

Plexus-Utils has a Directory Traversal vulnerability in its extractFile method

High severity GitHub Reviewed Published Mar 25, 2026 to the GitHub Advisory Database • Updated Apr 8, 2026

Package

maven org.codehaus.plexus:plexus-utils (Maven)

Affected versions

>= 4.0.0, < 4.0.3
< 3.6.1

Patched versions

4.0.3
3.6.1

Description

Directory Traversal vulnerability in the extractFile method of org.codehaus.plexus.util.Expand in plexus-utils before 6d780b3378829318ba5c2d29547e0012d5b29642. This allows an attacker to execute arbitrary code

References

Published by the National Vulnerability Database Mar 25, 2026
Published to the GitHub Advisory Database Mar 25, 2026
Reviewed Mar 27, 2026
Last updated Apr 8, 2026

Severity

High

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(48th percentile)

Weaknesses

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Learn more on MITRE.

CVE ID

CVE-2025-67030

GHSA ID

GHSA-6fmv-xxpf-w3cw

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.