CVE-2025-4748
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L
Summary
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (stdlib modules) allows Absolute Path Traversal, File Manipulation. This vulnerability is associated with program files lib/stdlib/src/zip.erl and program routines zip:unzip/1, zip:unzip/2, zip:extract/1, zip:extract/2 unless the memory option is passed.
This issue affects OTP from OTP 17.0 until OTP 28.0.1, OTP 27.3.4.1 and OTP 26.2.5.13, corresponding to stdlib from 2.0 until 7.0.1, 6.2.2.1 and 5.2.3.4.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Erlang | OTP | 2.0 < * | affected |
| Erlang | OTP | 17.0 < * | affected |
| Erlang | OTP | 07b8f441ca711f9812fad9e9115bab3c3aa92f79 < * | affected |
Weaknesses
- CWE-22: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Workarounds
You can use zip:list_dir/1 on the archive and verify that no files contain absolute paths before extracting the archive to disk.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
CVE Program Container
Additional References
References
- https://github.com/erlang/otp/security/advisories/GHSA-9g37-pgj9-wrhc
- https://cna.erlef.org/cves/CVE-2025-4748.html
- https://osv.dev/vulnerability/EEF-CVE-2025-4748
- https://www.erlang.org/doc/system/versions.html#order-of-versions
- https://github.com/erlang/otp/pull/9941
- https://github.com/erlang/otp/commit/5a55feec10c9b69189d56723d8f237afa58d5d4f
- https://github.com/erlang/otp/commit/ba2f2bc5f45fcfd2d6201ba07990a678bbf4cc8f
- https://github.com/erlang/otp/commit/578d4001575aa7647ea1efd4b2b7e3afadcc99a5
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.