CVE-2025-70952: pf4j is vulnerable to Path Traversal or Zip Slip attack through improper handling of zip entry names

March 25, 2026 (updated March 27, 2026)

pf4j before 20c2f80 has a path traversal vulnerability in the extract() function of Unzip.java, where improper handling of zip entry names can allow directory traversal or Zip Slip attacks, due to a lack of proper path normalization and validation.

References

gist.github.com/weaver4VD/410f23adb24ef5f5077f021f4393e705
github.com/advisories/GHSA-5458-7hh9-v7p4
github.com/pf4j/pf4j
github.com/pf4j/pf4j/commit/20c2f80089d1ea779e22c2de5f109a0bce4e1b14
github.com/pf4j/pf4j/issues/618
github.com/pf4j/pf4j/issues/623
nvd.nist.gov/vuln/detail/CVE-2025-70952

Code Behaviors & Features

Detect and mitigate CVE-2025-70952 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →