Absolute path traversal in zip:unzip/1,2
Summary
| CVE | CVE-2025-4748 |
|---|---|
| State | PUBLISHED |
| Assigner | EEF |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2025-06-16 11:15:18 UTC |
| Updated | 2026-04-06 17:17:04 UTC |
| Description | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (stdlib modules) allows Absolute Path Traversal, File Manipulation. This vulnerability is associated with program files lib/stdlib/src/zip.erl and program routines zip:unzip/1, zip:unzip/2, zip:extract/1, zip:extract/2 unless the memory option is passed. This issue affects OTP from OTP 17.0 until OTP 28.0.1, OTP 27.3.4.1 and OTP 26.2.5.13, corresponding to stdlib from 2.0 until 7.0.1, 6.2.2.1 and 5.2.3.4. |
Risk And Classification
Primary CVSS: v4.0 4.8 MEDIUM from 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.001080000 probability, percentile 0.290500000 (date 2026-04-07)
Problem Types: CWE-22 | CWE-22 CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | Secondary | 4.8 | MEDIUM | CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L/E:X/C... |
| 4.0 | CNA | CVSS | 4.8 | MEDIUM | CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L |
CVSS v4.0 Breakdown
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/erlang/otp/security/advisories/GHSA-9g37-pgj9-wrhc | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | github.com | |
| www.openwall.com/lists/oss-security/2025/06/16/5 | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | |
| github.com/erlang/otp/pull/9941 | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | github.com | |
| cna.erlef.org/cves/CVE-2025-4748.html | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | cna.erlef.org | |
| github.com/erlang/otp/commit/578d4001575aa7647ea1efd4b2b7e3afadcc99a5 | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | github.com | |
| github.com/erlang/otp/commit/ba2f2bc5f45fcfd2d6201ba07990a678bbf4cc8f | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | github.com | |
| www.erlang.org/doc/system/versions.html | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | www.erlang.org | |
| github.com/erlang/otp/commit/5a55feec10c9b69189d56723d8f237afa58d5d4f | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | github.com | |
| osv.dev/vulnerability/EEF-CVE-2025-4748 | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | osv.dev | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Wander Nauta (en)
CNA: Lukas Backström (en)
CNA: Björn Gustavsson (en)
Additional Advisory Data
Workarounds
CNA: You can use zip:list_dir/1 on the archive and verify that no files contain absolute paths before extracting the archive to disk.