Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (stdlib modules) allows Absolute Path Traversal, File Manipulation. This vulnerability is associated with program files lib/stdlib/src/zip.erl and program routines zip:unzip/1, zip:unzip/2, zip:extract/1, zip:extract/2 unless the memory option is passed.

This issue affects OTP from OTP 17.0 until OTP 28.0.1, OTP 27.3.4.1 and OTP 26.2.5.13, corresponding to stdlib from 2.0 until 7.0.1, 6.2.2.1 and 5.2.3.4.
Published: 2025-06-16
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Absolute Path Traversal allowing file manipulation
Action: Apply Patch
AI Analysis

Impact

This vulnerability arises from improper limitation of pathname checks in Erlang OTP’s zip processing library, allowing an attacker to specify files with absolute paths in a ZIP archive. When such an archive is extracted the application writes files to locations outside the intended extraction directory, potentially overwriting crucial configuration or executable files. The weakness is classified as CWE‑22 and can lead to information disclosure or malicious code execution by creating or modifying files on the file system.

Affected Systems

Erlang OTP is affected in releases from 17.0 through 28.0.1, with specific vulnerable build identifiers including OTP 27.3.4.1 and OTP 26.2.5.13. Corresponding stdlib versions 2.0 through 7.0.1, 6.2.2.1 and 5.2.3.4 are impacted. The flaw manifests in the standard library modules handling ZIP archives such as zip:unzip/1, zip:unzip/2, zip:extract/1 and zip:extract/2 when the memory option is not used.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity, and the EPSS score of less than 1% shows a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, so no large‑scale exploits are currently documented. Attackers would need access to the system or the ability to supply a crafted ZIP archive to the vulnerable functions. Based on the description it is inferred that the attack vector is local or a remote service that accepts untrusted archives. The proposed workaround of examining archive entries with zip:list_dir/1 before extraction mitigates the risk until a patch is applied.

Generated by OpenCVE AI on April 28, 2026 at 01:26 UTC.

Remediation

Vendor Workaround

You can use zip:list_dir/1 on the archive and verify that no files contain absolute paths before extracting the archive to disk.

OpenCVE Recommended Actions

  • Upgrade Erlang OTP to the latest release that contains the referenced patch commits (e.g., 28.1 or later).
  • If upgrading is not immediately possible, perform a pre‑extraction check by listing all entries with zip:list_dir/1 and verify that no entry contains an absolute path before calling unzip or extract.
  • Avoid extracting untrusted ZIP archives in environments where privilege escalation could be leveraged; restrict file system permissions as an additional defense.

Generated by OpenCVE AI on April 28, 2026 at 01:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4376-1 erlang security update
EUVD EUVD EUVD-2025-18414 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (stdlib modules) allows Absolute Path Traversal, File Manipulation. This vulnerability is associated with program files lib/stdlib/src/zip.erl and program routines zip:unzip/1, zip:unzip/2, zip:extract/1, zip:extract/2 unless the memory option is passed. This issue affects OTP from OTP 17.0 until OTP 28.0.1, OTP 27.3.4.1 and OTP 26.2.5.13, corresponding to stdlib from 2.0 until 7.0.1, 6.2.2.1 and 5.2.3.4.
Ubuntu USN Ubuntu USN USN-7656-1 Erlang vulnerabilities
History

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
References

Tue, 02 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Erlang erlang\/otp
CPEs cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Vendors & Products Erlang erlang\/otp

Fri, 04 Jul 2025 09:30:00 +0000

Type Values Removed Values Added
References

Mon, 16 Jun 2025 20:30:00 +0000

Type Values Removed Values Added
References

Mon, 16 Jun 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Jun 2025 11:15:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (stdlib modules) allows Absolute Path Traversal, File Manipulation. This vulnerability is associated with program files lib/stdlib/src/zip.erl and program routines zip:unzip/1, zip:unzip/2, zip:extract/1, zip:extract/2 unless the memory option is passed. This issue affects OTP from OTP 17.0 until OTP 28.0.1, OTP 27.3.4.1 and OTP 26.2.5.13, corresponding to stdlib from 2.0 until 7.0.1, 6.2.2.1 and 5.2.3.4.
Title Absolute path traversal in zip:unzip/1,2
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L'}

Subscriptions

Erlang Erlang\/otp Otp
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-04-06T16:44:04.139Z

Reserved: 2025-05-15T08:36:54.783Z

Link: CVE-2025-4748

cve-icon Vulnrichment

Updated: 2025-06-16T20:03:21.484Z

cve-icon NVD

Status : Deferred

Published: 2025-06-16T11:15:18.730

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-4748

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T01:30:17Z

Weaknesses