Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (stdlib modules) allows Absolute Path Traversal, File Manipulation. This vulnerability is associated with program files lib/stdlib/src/zip.erl and program routines zip:unzip/1, zip:unzip/2, zip:extract/1, zip:extract/2 unless the memory option is passed. This issue affects OTP from OTP 17.0 until OTP 28.0.1, OTP 27.3.4.1 and OTP 26.2.5.13, corresponding to stdlib from 2.0 until 7.0.1, 6.2.2.1 and 5.2.3.4.
References (9)
Core 9
Core References
Vendor Advisory vendor-advisory
related
https://github.com/erlang/otp/security/advisories/GHSA-9g37-pgj9-wrhc
Various Sources x_version-scheme
https://www.erlang.org/doc/system/versions.html#order-of-versions
Issue Tracking patch
https://github.com/erlang/otp/pull/9941
Related related
https://cna.erlef.org/cves/CVE-2025-4748.html
Related related
https://osv.dev/vulnerability/EEF-CVE-2025-4748
Scores
CVSS v4
4.8
EPSS
0.0037
EPSS Percentile
59.1%
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (4)
Erlang/OTP
07b8f441ca711f9812fad9e9115bab3c3aa92f79
Erlang/OTP
17.0
Erlang/OTP
2.0
Erlang/OTP
pkg:otp/[email protected] - pkg:otp/stdlib@*
Published
Jun 16, 2025
Tracked Since
Feb 18, 2026