CVE-2025-70952 identifies a path traversal vulnerability in the pf4j (Plugin Framework for Java) library, specifically in the extract() function of Unzip.java. The vulnerability stems from the improper handling of zip entry names during the extraction process. When zip files are extracted, the code fails to properly normalize and validate the paths of the entries, allowing specially crafted zip archives to include entries with directory traversal sequences (e.g., '../'). This enables attackers to write files outside the intended extraction directory, a classic Zip Slip attack vector. Such an attack can overwrite critical files on the host system, leading to arbitrary code execution, privilege escalation, or system compromise depending on the context in which pf4j is used. The vulnerability affects all versions of pf4j before the commit identified as 20c2f80, which presumably includes a fix. There are no known public exploits or reports of active exploitation at this time. However, the vulnerability is significant because pf4j is widely used in Java applications for plugin management, and many applications rely on it to handle zip files safely. The lack of a CVSS score requires an independent severity assessment, which is high due to the potential impact and ease of exploitation without authentication or user interaction. The vulnerability is categorized as a directory traversal/Zip Slip issue, a well-known and dangerous class of vulnerabilities in archive extraction libraries.

The primary impact of CVE-2025-70952 is unauthorized file system modification via directory traversal during zip extraction. Successful exploitation can lead to overwriting or creating arbitrary files anywhere the application has write permissions. This can compromise application integrity, enable remote code execution if executable files are overwritten or planted, and potentially lead to full system compromise depending on the deployment context. Confidentiality may be impacted if sensitive files are overwritten or replaced with malicious versions. Availability could be affected if critical system or application files are corrupted. Organizations using pf4j in environments where untrusted zip files are processed are at risk. The vulnerability could be leveraged by attackers to implant backdoors, escalate privileges, or disrupt services. Since no authentication or user interaction is required, automated attacks could be feasible once the vulnerability is known. The lack of known exploits currently limits immediate risk, but the potential impact is significant for affected systems worldwide.

To mitigate CVE-2025-70952, organizations should immediately update pf4j to the version including the fix at commit 20c2f80 or later. If an update is not immediately possible, implement strict validation and sanitization of zip entry paths before extraction, ensuring no directory traversal sequences are present. Use secure extraction libraries or wrappers that enforce path normalization and restrict extraction to a designated directory. Employ runtime monitoring to detect unexpected file writes outside expected directories. Restrict application permissions to the minimum necessary, preventing write access to sensitive system locations. Additionally, conduct code reviews and security testing on any custom zip extraction logic. Educate developers on the risks of Zip Slip vulnerabilities and enforce secure coding practices for handling archive files. Finally, consider sandboxing or isolating components that process untrusted zip files to limit potential damage.