PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-67030 Codehaus Plexus CVE debrief

CVE-2025-67030 is a high-severity directory traversal vulnerability in the extractFile method of org.codehaus.plexus.util.Expand in plexus-utils before version 6d780b3378829318ba5c2d29547e0012d5b29642. This allows an attacker to execute arbitrary code. The vulnerability has a CVSS score of 8.8 and is classified as HIGH. The CVE was published on 2026-03-25T18:16:25.880Z and last modified on 2026-06-30T03:16:57.343Z.

Vendor
Codehaus Plexus
Product
plexus-utils
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-25
Original CVE updated
2026-06-30
Advisory published
2026-03-25
Advisory updated
2026-06-30

Who should care

This vulnerability affects users of Plexus-Utils, particularly those using versions before 6d780b3378829318ba5c2d29547e0012d5b29642. Developers and administrators should review their dependencies and update to the latest version to mitigate the risk. Red Hat users may also be affected, as indicated by multiple RHSA errata references.

Technical summary

The vulnerability is caused by a directory traversal issue in the extractFile method of org.codehaus.plexus.util.Expand. This method does not properly sanitize input, allowing an attacker to traverse the directory structure and potentially execute arbitrary code. The issue is addressed in commit 6d780b3378829318ba5c2d29547e0012d5b29642. Multiple references, including GitHub issues and Red Hat errata, provide additional context and mitigation strategies.

Defensive priority

This vulnerability has a high CVSS score of 8.8, indicating a critical severity level. Immediate attention is required to mitigate the risk of arbitrary code execution.

Recommended defensive actions

  • Review and update Plexus-Utils to version 6d780b3378829318ba5c2d29547e0012d5b29642 or later.
  • Check dependencies and inventory for affected versions.
  • Apply patches or updates provided by the vendor or community.
  • Monitor for suspicious activity and implement compensating controls.
  • Review and implement secure coding practices to prevent similar vulnerabilities.

Evidence notes

The CVE record and NVD detail provide official information on the vulnerability. Multiple references, including GitHub issues and Red Hat errata, offer additional context and mitigation strategies. However, the exact scope of affected systems and potential attack vectors may require further investigation.

Official resources

This article is AI-assisted and based on the supplied source corpus.