GHSA-5458-7hh9-v7p4

Source

https://github.com/advisories/GHSA-5458-7hh9-v7p4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-5458-7hh9-v7p4/GHSA-5458-7hh9-v7p4.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-5458-7hh9-v7p4

Aliases

CVE-2025-70952

Published

2026-03-25T21:30:35Z

Modified

2026-03-27T20:05:59.551316Z

Severity

8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

pf4j is vulnerable to Path Traversal or Zip Slip attack through improper handling of zip entry names

Details

pf4j before 20c2f80 has a path traversal vulnerability in the extract() function of Unzip.java, where improper handling of zip entry names can allow directory traversal or Zip Slip attacks, due to a lack of proper path normalization and validation.

Database specific

{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-22",
        "CWE-23"
    ],
    "nvd_published_at": "2026-03-25T19:16:28Z",
    "github_reviewed_at": "2026-03-27T19:49:00Z",
    "severity": "HIGH"
}

References

Affected packages

Maven / org.pf4j:pf4j

Package

Name: org.pf4j:pf4j; View open source insights on deps.dev
Purl: pkg:maven/org.pf4j/pf4j

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.14.1

Affected versions

2.*

2.0.0

2.1.0

2.2.0

2.3.0

2.4.0

2.5.0

2.6.0

3.*

3.0.1

3.1.0

3.2.0

3.3.0

3.3.1

3.4.0

3.4.1

3.5.0

3.6.0

3.7.0

3.8.0

3.9.0

3.10.0

3.11.0

3.11.1

3.12.0

3.12.1

3.13.0

3.14.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-5458-7hh9-v7p4/GHSA-5458-7hh9-v7p4.json"