CVE-2025-67030

EUVD-2025-209002
Directory Traversal vulnerability in the extractFile method of org.codehaus.plexus.util.Expand in plexus-utils before 6d780b3378829318ba5c2d29547e0012d5b29642. This allows an attacker to execute arbitrary code
Path Traversal
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 47%
Affected Products (NVD)
VendorProductVersion
codehaus-plexusplexus-utils
𝑥
< 3.6.1
codehaus-plexusplexus-utils
4.0.0 ≤
𝑥
< 4.0.3
𝑥
= Vulnerable software versions
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
maven3.9
Amazon Linux 2023
1:3.9.14-3.amzn2023.0.1
fixed
maven3.9-amazon-corretto11
Amazon Linux 2023
1:3.9.14-3.amzn2023.0.1
fixed
maven3.9-amazon-corretto17
Amazon Linux 2023
1:3.9.14-3.amzn2023.0.1
fixed
maven3.9-amazon-corretto21
Amazon Linux 2023
1:3.9.14-3.amzn2023.0.1
fixed
maven3.9-amazon-corretto8
Amazon Linux 2023
1:3.9.14-3.amzn2023.0.1
fixed
maven3.9-javadoc
Amazon Linux 2023
1:3.9.14-3.amzn2023.0.1
fixed
maven3.9-lib
Amazon Linux 2023
1:3.9.14-3.amzn2023.0.1
fixed
plexus-utils
Amazon Linux 2
0:3.0.9-9.amzn2.0.1
fixed
Amazon Linux 2023
0:3.3.0-9.amzn2023.0.5
fixed
plexus-utils-javadoc
Amazon Linux 2
0:3.0.9-9.amzn2.0.1
fixed
Amazon Linux 2023
0:3.3.0-9.amzn2023.0.5
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
plexus-utils
Azure Linux 3.0
0:3.3.0-5.azl3
fixed
CBL-Mariner 2.0
0:3.3.0-4.cm2
fixed
Common Weakness Enumeration
References
https://gist.github.com/weaver4VD/3216dac645220f8c9b488362f61241ec
https://github.com/codehaus-plexus/plexus-utils/commit/6d780b3378829318ba5c2d29547e0012d5b29642
https://github.com/codehaus-plexus/plexus-utils/issues/294
https://github.com/codehaus-plexus/plexus-utils/pull/295
https://github.com/codehaus-plexus/plexus-utils/pull/296