Path Traversal Vulnerability in Erlang OTP Affects Multiple Versions
CVE-2025-4748

4.8MEDIUM

Key Information:

Vendor: Erlang
Status: Otp
Vendor: CVE Published:; 16 June 2025

🔔 Create Erlang Vulnerability Alert

What is CVE-2025-4748?

A Path Traversal vulnerability in Erlang's OTP affects its stdlib modules, specifically allowing attackers to exploit absolute path traversal and manipulate files within the restricted directory. This flaw is triggered unless the memory option is enabled during the use of specific zip routines, namely zip:unzip/1, zip:unzip/2, zip:extract/1, and zip:extract/2. Affected versions include OTP from 17.0 to 28.0.1 and specific iterations of the stdlib from 2.0 to 7.0.1.

Affected Version(s)

OTP pkg:otp/[email protected]

OTP 17.0

OTP 07b8f441ca711f9812fad9e9115bab3c3aa92f79

References

https://github.com/erlang/otp/security/advisories/GHSA-9g...

vendor-advisory

https://www.erlang.org/doc/system/versions.html#order-of-...

x_version-scheme

https://github.com/erlang/otp/pull/9941

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 16, 2025
Vulnerability Reserved
May 15, 2025

Credit

Wander Nauta

Lukas Backström

Björn Gustavsson

.

CVE-2025-4748 : Path Traversal Vulnerability in Erlang OTP Affects Multiple Versions