{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-67030", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-25T17:45:41.937Z", "dateReserved": "2025-12-08T00:00:00.000Z", "datePublished": "2026-03-25T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-25T17:45:41.937Z"}, "descriptions": [{"lang": "en", "value": "Directory Traversal vulnerability in the extractFile method of org.codehaus.plexus.util.Expand in plexus-utils before 6d780b3378829318ba5c2d29547e0012d5b29642. This allows an attacker to execute arbitrary code"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/codehaus-plexus/plexus-utils/pull/295"}, {"url": "https://github.com/codehaus-plexus/plexus-utils/issues/294"}, {"url": "https://github.com/codehaus-plexus/plexus-utils/commit/6d780b3378829318ba5c2d29547e0012d5b29642"}, {"url": "https://github.com/codehaus-plexus/plexus-utils/pull/296"}, {"url": "https://gist.github.com/weaver4VD/3216dac645220f8c9b488362f61241ec"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Directory Traversal vulnerability in the extractFile method of org.codehaus.plexus.util.Expand in plexus-utils before 6d780b3378829318ba5c2d29547e0012d5b29642. This allows an attacker to execute arbitrary code"}], "id": "CVE-2025-67030", "lastModified": "2026-03-25T18:16:25.880", "metrics": {}, "published": "2026-03-25T18:16:25.880", "references": [{"source": "cve@mitre.org", "url": "https://gist.github.com/weaver4VD/3216dac645220f8c9b488362f61241ec"}, {"source": "cve@mitre.org", "url": "https://github.com/codehaus-plexus/plexus-utils/commit/6d780b3378829318ba5c2d29547e0012d5b29642"}, {"source": "cve@mitre.org", "url": "https://github.com/codehaus-plexus/plexus-utils/issues/294"}, {"source": "cve@mitre.org", "url": "https://github.com/codehaus-plexus/plexus-utils/pull/295"}, {"source": "cve@mitre.org", "url": "https://github.com/codehaus-plexus/plexus-utils/pull/296"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received"}

{"bugzilla": {"description": "org.codehaus.plexus:plexus-utils: Plexus-utils: Directory Traversal in extractFile method", "id": "2451409", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451409"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L", "status": "draft"}, "cwe": "CWE-22", "details": ["A flaw was found in plexus-utils. This vulnerability, known as a Directory Traversal, exists within the `extractFile` method. An attacker can exploit this to execute unauthorized code on the system in the context of the current working user."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-67030", "package_state": [{"cpe": "cpe:/a:redhat:cryostat:4", "fix_state": "Affected", "package_name": "plexus-utils", "product_name": "Cryostat 4"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Affected", "package_name": "jenkins-2-plugins", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Affected", "package_name": "ocp-tools-4/jenkins-rhel8", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Affected", "package_name": "ocp-tools-4/jenkins-rhel9", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1/kn-eventing-integrations-aws-ddb-streams-source-rhel9", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1/kn-eventing-integrations-aws-s3-sink-rhel9", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1/kn-eventing-integrations-aws-s3-source-rhel9", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1/kn-eventing-integrations-aws-sns-sink-rhel9", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1/kn-eventing-integrations-aws-sqs-sink-rhel9", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1/kn-eventing-integrations-aws-sqs-source-rhel9", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1/kn-eventing-integrations-log-sink-rhel9", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1/kn-eventing-integrations-timer-source-rhel9", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Affected", "package_name": "plexus-utils", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:amq_clients:2023", "fix_state": "Affected", "package_name": "plexus-utils", "product_name": "Red Hat AMQ Clients"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Affected", "package_name": "plexus-utils", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Affected", "package_name": "plexus-utils", "product_name": "Red Hat build of Apicurio Registry 2"}, {"cpe": "cpe:/a:redhat:apicurio_registry:3", "fix_state": "Affected", "package_name": "plexus-utils", "product_name": "Red Hat build of Apicurio Registry 3"}, {"cpe": "cpe:/a:redhat:debezium:3", "fix_state": "Affected", "package_name": "plexus-utils", "product_name": "Red Hat build of Debezium 3"}, {"cpe": "cpe:/a:redhat:quarkus:3", "fix_state": "Affected", "package_name": "plexus-utils", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:quarkus:3", "fix_state": "Affected", "package_name": "plexus-utils", "product_name": "Red Hat build of Quarkus Native builder"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Affected", "package_name": "plexus-utils", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "javacc", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "moditect", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "sisu", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "sisu-mojos", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "qpid-cpp", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "qpid-qmf", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "exec-maven-plugin", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "maven", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "maven2", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "maven-archiver", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "maven-assembly-plugin", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "maven-changes-plugin", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "maven-clean-plugin", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "maven-common-artifact-filters", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "maven-dependency-analyzer", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "maven-deploy-plugin", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "maven-doxia", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "maven-doxia-sitetools", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "maven-doxia-tools", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "maven-enforcer", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "maven-filtering", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "maven-gpg-plugin", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "maven-install-plugin", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "maven-invoker", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "maven-invoker-plugin", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "maven-jarsigner-plugin", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "maven-javadoc-plugin", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "maven-jxr", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "maven-plugin-tools", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "maven-project-info-reports-plugin", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "maven-release", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "maven-remote-resources-plugin", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "maven-scm", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "maven-script-interpreter", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "maven-shade-plugin", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "maven-surefire", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "maven-wagon", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "modello", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "velocity", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "xbean", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/exec-maven-plugin", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/hawtjni", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/javacc", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/javacc-maven-plugin", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/maven", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/maven2", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/maven-antrun-plugin", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/maven-archiver", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/maven-artifact-transfer", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/maven-assembly-plugin", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/maven-compiler-plugin", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/maven-dependency-analyzer", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/maven-dependency-plugin", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/maven-doxia", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/maven-doxia-sitetools", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/maven-enforcer", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/maven-file-management", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/maven-filtering", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/maven-install-plugin", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/maven-invoker", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/maven-invoker-plugin", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/maven-jar-plugin", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/maven-plugin-bundle", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/maven-plugin-testing", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/maven-plugin-tools", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/maven-remote-resources-plugin", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/maven-reporting-impl", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/maven-resolver", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/maven-resources-plugin", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/maven-script-interpreter", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/maven-shade-plugin", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/maven-shared-io", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/maven-source-plugin", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/maven-surefire", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/maven-wagon", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/modello", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/os-maven-plugin", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/plexus-ant-factory", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/plexus-archiver", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/plexus-bsh-factory", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/plexus-build-api", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/plexus-cli", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/plexus-compiler", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/plexus-components-pom", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/plexus-containers", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/plexus-i18n", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/plexus-interactivity", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/plexus-io", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/plexus-resources", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/sonatype-plugins-parent", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/spice-parent", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/xbean", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "maven:3.8/sisu", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "ceph", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "jmc", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "maven", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "maven:3.9/maven", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "maven:3.9/maven-resolver", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "maven:3.9/maven-wagon", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "maven:3.9/plexus-containers", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "maven:3.9/plexus-sec-dispatcher", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "maven:3.9/sisu", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "maven-artifact-transfer", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "maven-enforcer", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "maven-jar-plugin", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "maven-plugin-testing", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "maven-plugin-tools", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "maven-resolver", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "maven-wagon", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "sisu", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "xbean", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Affected", "package_name": "plexus-utils", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_core_services:1", "fix_state": "Affected", "package_name": "plexus-utils", "product_name": "Red Hat JBoss Core Services"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Affected", "package_name": "plexus-utils", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Affected", "package_name": "plexus-utils", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "plexus-utils", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5", "fix_state": "Affected", "package_name": "plexus-utils", "product_name": "Red Hat JBoss Web Server 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6", "fix_state": "Affected", "package_name": "plexus-utils", "product_name": "Red Hat JBoss Web Server 6"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-trustyai-service-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-trustyai-service-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Affected", "package_name": "plexus-utils", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "candlepin", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "satellite:el8/candlepin", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Affected", "package_name": "plexus-utils", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:amq_streams:2", "fix_state": "Affected", "package_name": "plexus-utils", "product_name": "streams for Apache Kafka 2"}, {"cpe": "cpe:/a:redhat:amq_streams:3", "fix_state": "Affected", "package_name": "plexus-utils", "product_name": "streams for Apache Kafka 3"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-67030\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-67030\nhttps://gist.github.com/weaver4VD/3216dac645220f8c9b488362f61241ec\nhttps://github.com/codehaus-plexus/plexus-utils/commit/6d780b3378829318ba5c2d29547e0012d5b29642\nhttps://github.com/codehaus-plexus/plexus-utils/issues/294\nhttps://github.com/codehaus-plexus/plexus-utils/pull/295\nhttps://github.com/codehaus-plexus/plexus-utils/pull/296"], "threat_severity": "Important"}

{"analysis": {"en": {"generated_at": "2026-03-25T20:02:02.588326+00:00", "value": {"mitigation_remediation": ["Update plexus-utils to the fixed version 6d780b3378829318ba5c2d29547e0012d5b29642 or later", "Verify that no outdated versions remain in any dependent projects", "If updating is not immediately possible, disable or remove use of the extractFile method from the codebase", "Apply general file path validation to prevent directory traversal", "Ensure that any archive handling processes have strict boundaries and are isolated"], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The exposed component is the plexus-utils library, versions prior to commit 6d780b3378829318ba5c2d29547e0012d5b29642. Any application or environment that incorporates this library and uses the extractFile method is at risk. No additional vendor or product information was supplied. ", "description_and_impact": "A directory traversal flaw exists in the extractFile method of org.codehaus.plexus.util.Expand within the plexus-utils library. By supplying specially crafted paths, an attacker can cause the method to resolve files outside the intended extraction directory, enabling the execution of arbitrary code during the unpacking process. This flaw directly compromises the confidentiality, integrity, and availability of the affected system. The vulnerability is identified as a potential gateway for full system compromise. ", "risk_and_exploitability": "The flaw presents a high risk due to its remote code execution capability. Exploitation requires the attacker to create or supply a malicious archive that triggers the vulnerable extractFile method; once executed, arbitrary code runs under the privileges of the application. No CVSS or EPSS data is available, but because the issue leads directly to code execution, the likelihood of exploitation is considered significant. The vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector is via a crafted archive file processed by the affected component. "}}}}, "created": "2026-03-25T20:56:57.430844+00:00", "title": "Directory Traversal in Plexus Utils ExtractFile Leading to Arbitrary Code Execution", "updated": "2026-03-25T20:56:57.430878+00:00", "vendors": [], "weaknesses": ["CWE-22", "CWE-94"]}