Absolute path traversal in zip:unzip/1,2
Summary
| CVE | CVE-2025-4748 |
|---|---|
| State | PUBLISHED |
| Assigner | EEF |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2025-06-16 11:15:18 UTC |
| Updated | 2026-04-06 17:17:04 UTC |
| Description | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (stdlib modules) allows Absolute Path Traversal, File Manipulation. This vulnerability is associated with program files lib/stdlib/src/zip.erl and program routines zip:unzip/1, zip:unzip/2, zip:extract/1, zip:extract/2 unless the memory option is passed. This issue affects OTP from OTP 17.0 until OTP 28.0.1, OTP 27.3.4.1 and OTP 26.2.5.13, corresponding to stdlib from 2.0 until 7.0.1, 6.2.2.1 and 5.2.3.4. |
Risk And Classification
Primary CVSS: v4.0 4.8 MEDIUM from 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Problem Types: CWE-22 | CWE-22 CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | Secondary | 4.8 | MEDIUM | CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L/E:X/C... |
| 4.0 | CNA | CVSS | 4.8 | MEDIUM | CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L |
CVSS v4.0 Breakdown
Attack Vector
LocalAttack Complexity
LowAttack Requirements
NonePrivileges Required
NoneUser Interaction
PassiveConfidentiality
NoneIntegrity
LowAvailability
LowSub Conf.
NoneSub Integrity
LowSub Availability
LowCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/erlang/otp/security/advisories/GHSA-9g37-pgj9-wrhc | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | github.com | |
| www.openwall.com/lists/oss-security/2025/06/16/5 | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | |
| github.com/erlang/otp/pull/9941 | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | github.com | |
| cna.erlef.org/cves/CVE-2025-4748.html | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | cna.erlef.org | |
| github.com/erlang/otp/commit/578d4001575aa7647ea1efd4b2b7e3afadcc99a5 | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | github.com | |
| github.com/erlang/otp/commit/ba2f2bc5f45fcfd2d6201ba07990a678bbf4cc8f | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | github.com | |
| www.erlang.org/doc/system/versions.html | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | www.erlang.org | |
| github.com/erlang/otp/commit/5a55feec10c9b69189d56723d8f237afa58d5d4f | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | github.com | |
| osv.dev/vulnerability/EEF-CVE-2025-4748 | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | osv.dev | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Wander Nauta (en)
CNA: Lukas Backström (en)
CNA: Björn Gustavsson (en)
Additional Advisory Data
Workarounds
CNA: You can use zip:list_dir/1 on the archive and verify that no files contain absolute paths before extracting the archive to disk.
There are currently no legacy QID mappings associated with this CVE.