Path Traversal Vulnerability in Erlang OTP Affects Multiple Versions

CVE-2025-4748

What is CVE-2025-4748?

CVE-2025-4748 is a path traversal vulnerability found in Erlang's Open Telecom Platform (OTP), specifically affecting multiple versions ranging from OTP 17.0 to OTP 28.0.1, as well as certain intermediate versions. This vulnerability arises from improper handling of pathname restrictions within the standard library (stdlib), particularly within the zip module's routines. The flaw allows malicious actors to exploit absolute path traversal, enabling unauthorized file manipulation, which poses a substantial risk to organizations relying on Erlang applications. Failure to specify appropriate memory options can exacerbate this vulnerability, making susceptible systems prone to serious security breaches.

Potential impact of CVE-2025-4748

1. File Manipulation: Attackers can exploit this vulnerability to manipulate files on the server, potentially accessing sensitive data or corrupting vital system files, which can disrupt operations and lead to data loss.

2. Unauthorized Access: The vulnerability permits unauthorized access to the file system, allowing attackers to traverse directories and interact with files outside of intended boundaries. This can lead to disclosure of sensitive information or exploitation of further vulnerabilities.

3. System Compromise: By leveraging this flaw, threat actors could gain a foothold in the affected systems, leading to greater systemic risks, including the installation of malware, further exploitation, or integration into larger network attacks, posing a risk to the integrity and security of organizational assets.

References