- Description
- Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (stdlib modules) allows Absolute Path Traversal, File Manipulation. This vulnerability is associated with program files lib/stdlib/src/zip.erl and program routines zip:unzip/1, zip:unzip/2, zip:extract/1, zip:extract/2 unless the memory option is passed. This issue affects OTP from OTP 17.0 until OTP 28.0.1, OTP 27.3.4.1 and OTP 26.2.5.13, corresponding to stdlib from 2.0 until 7.0.1, 6.2.2.1 and 5.2.3.4.
- Source
- 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
- NVD status
- Awaiting Analysis
CVSS 4.0
- Type
- Secondary
- Base score
- 4.8
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- MEDIUM
- 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
- CWE-22
- Hype score
- Not currently trending
🚨 EEF Advisory: CVE-2025-4748 – Path traversal vulnerability in zip:unzip and zip:extract (#Erlang/OTP < 28.0.1). 🔓Could allow arbitrary file writes unless memory option is used. 🛠️ Fixed in OTP 28.0.1, 27.3.4.1 & 26.2.5.13. ➡️ Upgrade now: https://t.co
@TheErlef
17 Jun 2025
51 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
New GreyNoise Labs research: CVE-2025-4748 Our team demonstrates how path traversal via zip archives can be used to achieve file write and code execution against Erlang OTP environments, exploiting CVE-2025-4748. This technique leverages the zip:unzip function when untrusted zip
@GreyNoiseIO
17 Jun 2025
2212 Impressions
7 Retweets
21 Likes
6 Bookmarks
0 Replies
0 Quotes
CVE-2025-4748 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (stdlib modules) allows Absolute Path Traversal, File Manipul… https://t.co/zi9tydRAVP
@CVEnew
16 Jun 2025
376 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes