CVE-2025-4748
Absolute path traversal in zip:unzip/1,2
CVSS Score
0.0
EPSS Score
0.1%
EPSS Percentile
26th
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (stdlib modules) allows Absolute Path Traversal, File Manipulation. This vulnerability is associated with program files lib/stdlib/src/zip.erl and program routines zip:unzip/1, zip:unzip/2, zip:extract/1, zip:extract/2 unless the memory option is passed. This issue affects OTP from OTP 17.0 until OTP 28.0.1, OTP 27.3.4.1 and OTP 26.2.5.13, corresponding to stdlib from 2.0 until 7.0.1, 6.2.2.1 and 5.2.3.4.
| CWE | CWE-22 |
| Vendor | erlang |
| Product | otp |
| Published | Jun 16, 2025 |
| Last Updated | Apr 6, 2026 |
Stay Ahead of the Next One
Get instant alerts for erlang otp
Be the first to know when new unknown vulnerabilities affecting erlang otp are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
Erlang / OTP
2.0 < *
Erlang / OTP
17.0 < * 07b8f441ca711f9812fad9e9115bab3c3aa92f79 < *
References
github.com: https://github.com/erlang/otp/security/advisories/GHSA-9g37-pgj9-wrhc cna.erlef.org: https://cna.erlef.org/cves/CVE-2025-4748.html osv.dev: https://osv.dev/vulnerability/EEF-CVE-2025-4748 erlang.org: https://www.erlang.org/doc/system/versions.html#order-of-versions github.com: https://github.com/erlang/otp/pull/9941 github.com: https://github.com/erlang/otp/commit/5a55feec10c9b69189d56723d8f237afa58d5d4f github.com: https://github.com/erlang/otp/commit/ba2f2bc5f45fcfd2d6201ba07990a678bbf4cc8f github.com: https://github.com/erlang/otp/commit/578d4001575aa7647ea1efd4b2b7e3afadcc99a5 openwall.com: http://www.openwall.com/lists/oss-security/2025/06/16/5
Credits
Wander Nauta Lukas Backström Björn Gustavsson