Skip to main content

Erlang OTP CVE-2025-4748

| EUVDEUVD-2025-18414 MEDIUM
Path Traversal (CWE-22)
2025-06-16 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
4.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Ubuntu
MEDIUM
qualitative
SUSE
4.4 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 14, 2026 - 21:59 euvd
EUVD-2025-18414
CVE Published
Jun 16, 2025 - 11:15 nvd
MEDIUM 4.8

DescriptionCVE.org

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (stdlib modules) allows Absolute Path Traversal, File Manipulation. This vulnerability is associated with program files lib/stdlib/src/zip.erl and program routines zip:unzip/1, zip:unzip/2, zip:extract/1, zip:extract/2 unless the memory option is passed.

This issue affects OTP from OTP 17.0 until OTP 28.0.1, OTP 27.3.4.1 and OTP 26.2.5.13, corresponding to stdlib from 2.0 until 7.0.1, 6.2.2.1 and 5.2.3.4.

Analysis

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (stdlib modules) allows Absolute Path Traversal, File Manipulation. This vulnerability is associated with program files lib/stdlib/src/zip.erl and program routines zip:unzip/1, zip:unzip/2, zip:extract/1, zip:extract/2 unless the memory option is passed.

This issue affects OTP from OTP 17.0 until OTP 28.0.1, OTP 27.3.4.1 and OTP 26.2.5.13, corresponding to stdlib from 2.0 until 7.0.1, 6.2.2.1 and 5.2.3.4.

Vendor StatusVendor

Ubuntu

Priority: Medium
erlang
Release Status Version
trusty needs-triage -
xenial needs-triage -
bionic needs-triage -
focal needs-triage -
oracular ignored end of life, was needs-triage
jammy released 1:24.2.1+dfsg-1ubuntu0.5
upstream released 1:27.3.4.1+dfsg-1
noble released 1:25.3.2.8+dfsg-1ubuntu4.4
plucky released 1:27.3+dfsg-1ubuntu1.2
questing released 1:27.3.4.1+dfsg-1

Debian

Bug #1107939
erlang
Release Status Fixed Version Urgency
bullseye fixed 1:23.2.6+dfsg-1+deb11u3 -
bullseye (security) fixed 1:23.2.6+dfsg-1+deb11u3 -
bookworm fixed 1:25.2.3+dfsg-1+deb12u2 -
bookworm (security) vulnerable 1:25.2.3+dfsg-1+deb12u1 -
trixie fixed 1:27.3.4.1+dfsg-1+deb13u1 -
forky fixed 1:27.3.4.6+dfsg-1 -
sid fixed 1:27.3.4.8+dfsg-1 -
(unstable) fixed 1:27.3.4.1+dfsg-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP6 SUSE Linux Enterprise Module for Server Applications 15 SP6 SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SP6 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Server Applications 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2025-4748 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy