Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (stdlib modules) allows Absolute Path Traversal, File Manipulation. This vulnerability is associated with program files lib/stdlib/src/zip.erl and program routines zip:unzip/1, zip:unzip/2, zip:extract/1, zip:extract/2 unless the memory option is passed. This issue affects OTP from OTP 17.0 until OTP 28.0.1, OTP 27.3.4.1 and OTP 26.2.5.13, corresponding to stdlib from 2.0 until 7.0.1, 6.2.2.1 and 5.2.3.4.
History

Fri, 04 Jul 2025 09:30:00 +0000


Mon, 16 Jun 2025 20:30:00 +0000

Type Values Removed Values Added
References

Mon, 16 Jun 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 16 Jun 2025 11:15:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (stdlib modules) allows Absolute Path Traversal, File Manipulation. This vulnerability is associated with program files lib/stdlib/src/zip.erl and program routines zip:unzip/1, zip:unzip/2, zip:extract/1, zip:extract/2 unless the memory option is passed. This issue affects OTP from OTP 17.0 until OTP 28.0.1, OTP 27.3.4.1 and OTP 26.2.5.13, corresponding to stdlib from 2.0 until 7.0.1, 6.2.2.1 and 5.2.3.4.
Title Absolute path traversal in zip:unzip/1,2
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published: 2025-06-16T11:00:54.643Z

Updated: 2025-07-04T09:07:32.019Z

Reserved: 2025-05-15T08:36:54.783Z

Link: CVE-2025-4748

cve-icon Vulnrichment

Updated: 2025-06-16T20:03:21.484Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-06-16T11:15:18.730

Modified: 2025-07-04T10:15:23.127

Link: CVE-2025-4748

cve-icon Redhat

No data.