EUVD-2025-209002
GHSA-6fmv-xxpf-w3cw
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Tags
Description
Directory Traversal vulnerability in the extractFile method of org.codehaus.plexus.util.Expand in plexus-utils before 6d780b3378829318ba5c2d29547e0012d5b29642. This allows an attacker to execute arbitrary code
Analysis
A directory traversal vulnerability exists in the extractFile method of org.codehaus.plexus.util.Expand in plexus-utils versions prior to commit 6d780b3378829318ba5c2d29547e0012d5b29642, allowing attackers to escape the intended extraction directory and write arbitrary files to the filesystem, potentially leading to remote code execution. The vulnerability affects any application using vulnerable versions of plexus-utils for archive extraction operations. A proof-of-concept has been publicly disclosed via a GitHub Gist, and the fix has been merged into the project repository.
Technical Context
plexus-utils is a widely-used utility library in the Apache Maven ecosystem, providing common functionality including archive extraction capabilities. The Expand class and its extractFile method are responsible for decompressing and extracting contents from archive files (typically ZIP or TAR formats). The vulnerability stems from insufficient validation of file paths during extraction, allowing an attacker to include path traversal sequences (such as '../' or absolute paths) within archive member filenames. This violates CWE-22 (Improper Limitation of a Pathname to a Restricted Directory - Path Traversal), a fundamental file operation security issue. When an archive with specially crafted file paths is processed, the extraction logic fails to canonicalize or validate paths before writing to disk, permitting writes outside the intended extraction directory. This is particularly critical in build automation contexts where Maven and dependent tools automatically extract archives from repositories or during dependency resolution.
Affected Products
The vulnerability affects plexus-utils versions prior to commit 6d780b3378829318ba5c2d29547e0012d5b29642. While no specific version number is provided in the intelligence, the fix was merged via pull request #295 and #296 on the CodeHaus Plexus GitHub repository (https://github.com/codehaus-plexus/plexus-utils). All applications that depend on plexus-utils transitively—including Maven itself and any project using Maven plugins or libraries that bundle this utility—are potentially affected. The affected CPE string indicates 'a:n/a:n/a' pending vendor clarification, but the precise affected component is org.codehaus.plexus:plexus-utils. Consult your build tool's dependency tree (mvn dependency:tree, gradle dependencies) to determine if plexus-utils is present in your supply chain.
Remediation
Update plexus-utils to the version that includes commit 6d780b3378829318ba5c2d29547e0012d5b29642 or later. For Maven-based projects, update the dependency declaration in pom.xml to the patched version and run 'mvn clean install' to rebuild. For Gradle projects, update the dependency version in build.gradle. All transitive dependencies will be updated automatically by the dependency resolver. Additionally, ensure that build environments do not process untrusted archives from external sources without cryptographic verification (GPG signatures, SHA-256 checksums from official repositories). Implement supply chain security practices such as dependency locking, private artifact repositories, and artifact scanning for malicious path patterns. Until patching is complete, review and restrict network access to Maven build agents and containerized build environments to minimize lateral movement risk if a build is compromised.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today