CVE-2025-4748Path Traversal in OTP

CWE-22Path Traversal7 documents6 sources
Severity
4.8MEDIUMNVD
EPSS
0.4%
top 40.86%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Erlang OTP
Timeline
PublishedJun 16
Latest updateJul 21

Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (stdlib modules) allows Absolute Path Traversal, File Manipulation. This vulnerability is associated with program files lib/stdlib/src/zip.erl and program routines zip:unzip/1, zip:unzip/2, zip:extract/1, zip:extract/2 unless the memory option is passed. This issue affects OTP from OTP 17.0 until OTP 28.0.1, OTP 27.3.4.1 and OTP 26.2.5.13, corresponding to stdlib from 2.0 until 7.0.1, 6.2.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L

Affected Packages1 packages

CVEListV5erlang/otp2.0*+2

🔴Vulnerability Details

3
OSV
erlang vulnerabilities2025-07-21
CVEList
Absolute path traversal in zip:unzip/1,22025-06-16
OSV
CVE-2025-4748: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (stdlib modules) allows Absolute Path Trave2025-06-16

📋Vendor Advisories

3
Ubuntu
Erlang vulnerabilities2025-07-21
Microsoft
Absolute path traversal in zip:unzip/1,22025-06-10
Debian
CVE-2025-4748: erlang - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') v...2025
CVE-2025-4748 — Path Traversal in Erlang OTP | cvebase