CVE-2025-4748

Name of the Vulnerable Software and Affected Versions Erlang OTP versions 17.0 through 28.0.1 Erlang OTP version 27.3.4.1 Erlang OTP version 26.2.5.13 stdlib versions 2.0 through 7.0.1 stdlib version 6.2.2.1 stdlib version 5.2.3.4

Description The issue is related to a Path Traversal vulnerability in Erlang OTP, specifically in the stdlib modules. This vulnerability allows Absolute Path Traversal and File Manipulation. It is associated with the program files lib/stdlib/src/zip.erl and the routines zip:unzip/1, zip:unzip/2, zip:extract/1, and zip:extract/2, unless the memory option is used.

Recommendations For Erlang OTP versions 17.0 through 28.0.1, consider disabling the zip:unzip/1 and zip:unzip/2 functions until a patch is available. For Erlang OTP version 27.3.4.1, restrict access to the zip:extract/1 and zip:extract/2 routines to minimize the risk of exploitation. For Erlang OTP version 26.2.5.13, avoid using the zip module until the issue is resolved. For stdlib versions 2.0 through 7.0.1, consider applying configuration changes to limit the impact of the vulnerability. For stdlib version 6.2.2.1, restrict access to the vulnerable zip.erl file to prevent exploitation. For stdlib version 5.2.3.4, consider disabling the zip module as a temporary workaround until a patch is available.