update
critical
#29207
Update dependency org.codehaus.plexus:plexus-utils to v4.0.3 [SECURITY]
This PR contains the following updates:
| Package | Type | Update Type | Change |
| --- | --- | --- | --- |
| org.codehaus.plexus:plexus-utils(source) | build | major | 3.6.0 → 4.0.3 |
| org.codehaus.plexus:plexus-utils(source) | compile | patch | 4.0.2 → 4.0.3 |
---
⚠️ Warning
Some dependencies could not be looked up. Check the warning logs for more information.
---
Plexus-Utils has a Directory Traversal vulnerability in its extractFile method
CVE-2025-67030 / GHSA-6fmv-xxpf-w3cw
Details
Directory Traversal vulnerability in the extractFile method of org.codehaus.plexus.util.Expand in plexus-utils before 6d780b3378829318ba5c2d29547e0012d5b29642. This allows an attacker to execute arbitrary code
Severity
High
References
- https://nvd.nist.gov/vuln/detail/CVE-2025-67030
- https://github.com/codehaus-plexus/plexus-utils/issues/294
- https://github.com/codehaus-plexus/plexus-utils/pull/295
- https://github.com/codehaus-plexus/plexus-utils/pull/296
- https://github.com/codehaus-plexus/plexus-utils/commit/6d780b3378829318ba5c2d29547e0012d5b29642
- https://gist.github.com/weaver4VD/3216dac645220f8c9b488362f61241ec
- https://github.com/codehaus-plexus/plexus-utils
- https://github.com/codehaus-plexus/plexus-utils/releases/tag/plexus-utils-4.0.3
This data is provided by OSV and the GitHub Advisory Database(CC-BY 4.0).
---