diff --git a/debian/changelog b/debian/changelog
index e04e42a..2aec91d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+plexus-utils2 (3.4.2-1deepin1) unstable; urgency=medium
+
+  * Fix CVE-2025-67030: Directory Traversal vulnerability in Expand.java
+
+ -- deepin-ci-robot <packages@deepin.org>  Mon, 27 Apr 2026 14:59:56 +0800
+
 plexus-utils2 (3.4.2-1) unstable; urgency=medium
 
   * Team upload.
diff --git a/debian/patches/cve_2025_67030.patch b/debian/patches/cve_2025_67030.patch
new file mode 100644
index 0000000..891d14c
--- /dev/null
+++ b/debian/patches/cve_2025_67030.patch
@@ -0,0 +1,38 @@
+Description: Fix CVE-2025-67030: Directory Traversal vulnerability
+ Fix Zip Slip vulnerability in archive extraction by using getCanonicalPath()
+ instead of getAbsolutePath() for path validation.
+Author: Copilot <198982749+Copilot@users.noreply.github.com>
+Origin: upstream, https://github.com/codehaus-plexus/plexus-utils/commit/36ea3526309d2842075bf018d45152816a37fc98
+Bug: https://security-tracker.debian.org/tracker/CVE-2025-67030
+Forwarded: not-needed
+
+Index: github-plexus-utils2-67030/src/main/java/org/codehaus/plexus/util/Expand.java
+===================================================================
+--- github-plexus-utils2-67030.orig/src/main/java/org/codehaus/plexus/util/Expand.java
++++ github-plexus-utils2-67030/src/main/java/org/codehaus/plexus/util/Expand.java
+@@ -116,9 +116,23 @@ public class Expand
+     {
+         File f = FileUtils.resolveFile( dir, entryName );
+ 
+-        if ( !f.getAbsolutePath().startsWith( dir.getAbsolutePath() ) )
++        try
++        {
++            String canonicalDirPath = dir.getCanonicalPath();
++            String canonicalFilePath = f.getCanonicalPath();
++
++            // Ensure the file is within the target directory
++            // We need to check that the canonical file path starts with the canonical directory path
++            // followed by a file separator to prevent path traversal attacks
++            if ( !canonicalFilePath.startsWith( canonicalDirPath + File.separator )
++                    && !canonicalFilePath.equals( canonicalDirPath ) )
++            {
++                throw new IOException( "Entry '" + entryName + "' outside the target directory." );
++            }
++        }
++        catch ( IOException e )
+         {
+-            throw new IOException( "Entry '" + entryName + "' outside the target directory." );
++            throw new IOException( "Failed to verify entry path for '" + entryName + "'", e );
+         }
+ 
+         try
diff --git a/debian/patches/series b/debian/patches/series
index 0ce2e9c..9895829 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@
 02-propertyutils-compatibility.patch
 03-maven-plugin-testing-compatibility.patch
 06-ignore-jmh-benchmarks.patch
+cve_2025_67030.patch