This issue affects OTP from OTP 17.0 until OTP 28.0.1, OTP 27.3.4.1 and OTP 26.2.5.13, corresponding to stdlib from 2.0 until 7.0.1, 6.2.2.1 and 5.2.3.4.
Metrics
Affected Vendors & Products
Solution
No solution given by the vendor.
Workaround
You can use zip:list_dir/1 on the archive and verify that no files contain absolute paths before extracting the archive to disk.
Tue, 02 Sep 2025 16:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Erlang erlang\/otp
|
|
CPEs | cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:* | |
Vendors & Products |
Erlang erlang\/otp
|
Fri, 04 Jul 2025 09:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
Mon, 16 Jun 2025 20:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
Mon, 16 Jun 2025 16:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Mon, 16 Jun 2025 11:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (stdlib modules) allows Absolute Path Traversal, File Manipulation. This vulnerability is associated with program files lib/stdlib/src/zip.erl and program routines zip:unzip/1, zip:unzip/2, zip:extract/1, zip:extract/2 unless the memory option is passed. This issue affects OTP from OTP 17.0 until OTP 28.0.1, OTP 27.3.4.1 and OTP 26.2.5.13, corresponding to stdlib from 2.0 until 7.0.1, 6.2.2.1 and 5.2.3.4. | |
Title | Absolute path traversal in zip:unzip/1,2 | |
Weaknesses | CWE-22 | |
References |
| |
Metrics |
cvssV4_0
|

Status: PUBLISHED
Assigner: EEF
Published:
Updated: 2025-09-02T15:59:55.774Z
Reserved: 2025-05-15T08:36:54.783Z
Link: CVE-2025-4748

Updated: 2025-06-16T20:03:21.484Z

Status : Awaiting Analysis
Published: 2025-06-16T11:15:18.730
Modified: 2025-07-04T10:15:23.127
Link: CVE-2025-4748

No data.

Updated: 2025-06-20T13:55:54Z