CVE-2025-4748
Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (stdlib modules) allows Absolute Path Traversal, File Manipulation. This vulnerability is associated with program files lib/stdlib/src/zip.erl and program routines zip:unzip/1, zip:unzip/2, zip:extract/1, zip:extract/2 unless the memory option is passed.
This issue affects OTP from OTP 17.0 until OTP 28.0.1, OTP 27.3.4.1 and OTP 26.2.5.13, corresponding to stdlib from 2.0 until 7.0.1, 6.2.2.1 and 5.2.3.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A path traversal flaw in Erlang/OTP's zip module lets a crafted archive write files outside the extraction directory, potentially overwriting critical files.
Vulnerability
CVE-2025-4748 is an absolute path traversal vulnerability in Erlang/OTP's stdlib zip module, specifically in the routines zip:unzip/1, zip:unzip/2, zip:extract/1, and zip:extract/2 (unless the memory option is used) [1]. The root cause lies in the insufficient sanitization of filenames within archive entries; the code does not strip leading path separators or .. sequences, allowing entries with absolute paths (e.g., /tmp/evil) to be processed [2][3]. This is classified as CWE-22 (Path Traversal) and CAPEC-597 (Absolute Path Traversal) [2].
Exploitation
To exploit this vulnerability, an attacker must craft a malicious ZIP archive containing entries with absolute filenames and convince a user or automated process to extract it using the affected functions without the memory option [1]. No authentication is required, but the attack is local (requires the victim to extract the archive) and has low complexity [3]. The functions trust the archive's metadata, and the bug has existed since OTP 17.0 through the affected versions (OTP 17.0 to 28.0.1, 27.3.4.1, and 26.2.5.13) [1][2]. Code commits show that patched versions introduce a sanitize_filenames/1 test and adjust extraction logic to reject or relativize absolute paths [3][4].
Impact
Successful exploitation allows file manipulation at the attacker's chosen absolute path on the filesystem, enabling arbitrary file writes or overwrites. This could lead to data corruption, denial of service, or potential privilege escalation if critical system files (e.g., configuration, libraries) are overwritten. The CVSS 4.0 base score is 4.8 (Medium) with impacts on integrity and availability (VI:L, VA:L) but no confidentiality impact [2].
Mitigation
The vulnerability is patched in OTP releases 28.0.1, 27.3.4.1, and 26.2.5.13 [1]. Users are strongly advised to upgrade to these fixed versions or any later release. As a general workaround, using the memory option (zip:extract(..., [memory])) avoids file system writes entirely, mitigating the traversal risk [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
4578d4001575a5a55feec10c9ba2f2bc5f45fb0cca717616fVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- www.openwall.com/lists/oss-security/2025/06/16/5nvd
- cna.erlef.org/cves/CVE-2025-4748.htmlnvd
- github.com/erlang/otp/commit/578d4001575aa7647ea1efd4b2b7e3afadcc99a5nvd
- github.com/erlang/otp/commit/5a55feec10c9b69189d56723d8f237afa58d5d4fnvd
- github.com/erlang/otp/commit/ba2f2bc5f45fcfd2d6201ba07990a678bbf4cc8fnvd
- github.com/erlang/otp/pull/9941nvd
- github.com/erlang/otp/security/advisories/GHSA-9g37-pgj9-wrhcnvd
- osv.dev/vulnerability/EEF-CVE-2025-4748nvd
- www.erlang.org/doc/system/versions.htmlnvd
News mentions
0No linked articles in our index yet.