CVE-2025-67030 is a directory traversal vulnerability identified in the extractFile method of the org.codehaus.plexus.util.Expand class within the plexus-utils Java library. This vulnerability arises because the method does not properly sanitize or validate file paths when extracting archive contents, allowing an attacker to craft malicious archive files that, when extracted, can write files outside the intended directory structure. This can lead to overwriting critical system or application files or placing malicious executables in trusted locations. The vulnerability affects versions of plexus-utils prior to the commit identified as 6d780b3378829318ba5c2d29547e0012d5b29642, though exact version numbers are not specified. Plexus-utils is widely used as a utility library in Java projects, particularly in build tools such as Apache Maven, which rely on it for file extraction tasks. Exploiting this vulnerability could allow an attacker to execute arbitrary code on the target system, compromising confidentiality, integrity, and availability. The vulnerability does not require prior authentication and can be triggered by processing a malicious archive file, potentially delivered via supply chain attacks or compromised build artifacts. No CVSS score has been assigned yet, and no known exploits have been reported in the wild as of the publication date. However, the potential impact is significant given the nature of arbitrary code execution and the widespread use of the affected library.

The primary impact of CVE-2025-67030 is the potential for arbitrary code execution on systems that use vulnerable versions of plexus-utils for archive extraction. This can lead to full system compromise, data breaches, and disruption of services. Organizations relying on Java build tools or other software components that incorporate plexus-utils may face risks of supply chain attacks, where malicious archives are introduced into build or deployment pipelines. The vulnerability undermines system integrity by allowing attackers to overwrite or create files outside intended directories, potentially injecting backdoors or malware. Confidentiality is also at risk if sensitive files are overwritten or exfiltrated. Availability could be affected if critical system files are corrupted or replaced. The ease of exploitation is moderate to high because it requires processing a crafted archive file but does not require authentication or user interaction beyond that. The scope is broad due to the widespread adoption of plexus-utils in Java ecosystems globally. Organizations with automated build environments, continuous integration/continuous deployment (CI/CD) pipelines, or software supply chains that utilize this library are particularly vulnerable.

To mitigate CVE-2025-67030, organizations should: 1) Monitor for and apply patches or updates to plexus-utils as soon as they are released, specifically those that address the extractFile method vulnerability. 2) Audit all software projects and build pipelines to identify usage of plexus-utils and assess exposure. 3) Implement strict validation and sanitization of archive files before extraction, including rejecting archives containing suspicious or absolute paths. 4) Employ runtime protections such as sandboxing or containerization for build and extraction processes to limit the impact of potential exploitation. 5) Use integrity verification and signing of build artifacts to detect tampering. 6) Monitor logs and file system changes for unexpected file creations or modifications outside expected directories. 7) Educate development and DevOps teams about the risks of processing untrusted archives and enforce policies to avoid using unverified third-party artifacts. 8) Consider implementing application allowlisting and endpoint detection and response (EDR) solutions to detect and block malicious activity stemming from exploitation attempts.