## CVE-2025-67030: Critical Directory Traversal Flaw in Plexus-Utils Library Exposes Systems to Arbitrary Code Execution
A critical vulnerability in a widely used Java library allows attackers to execute arbitrary code on affected systems. The flaw, tracked as CVE-2025-67030, is a Directory Traversal vulnerability in the `extractFile` method of `org.codehaus.plexus.util.Expand` within the `plexus-utils` library. This vulnerability enables an attacker to write files outside the intended extraction directory, a classic path traversal attack that can lead to remote code execution. The issue is present in versions before commit `6d780b3378829318ba5c2d29547e0012d5b29642`.

The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The `plexus-utils` library is a foundational component in the Apache Maven ecosystem, used by countless Java projects for build automation and dependency management. Its widespread use means this vulnerability has a potentially massive attack surface, impacting any application that uses a vulnerable version of the library to unpack archives.

Security advisories have been published by major tracking entities, including the National Vulnerability Database (NVD), GitHub Security Advisories (GHSA-6fmv-xxpf-w3cw), and Sonatype's OSS Index. The public disclosure triggers an urgent patching cycle for development and security teams globally. Organizations must immediately audit their dependency trees for the vulnerable `plexus-utils` artifact and upgrade to a patched version to mitigate the risk of exploitation, which could lead to complete system compromise.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2025-67030, Java, Directory Traversal, Supply Chain, Maven
- **Credibility**: unverified
- **Published**: 2026-03-27 03:27:02
- **ID**: 36685
- **URL**: https://whisperx.ai/en/intel/36685