CVE-2025-4748

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-4748

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-4748.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-4748

Aliases

GHSA-9g37-pgj9-wrhc

Published

2025-06-16T11:15:18Z

Modified

2025-06-16T23:57:17.619587Z

Summary

[none]

Details

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (stdlib modules) allows Absolute Path Traversal, File Manipulation. This vulnerability is associated with program files lib/stdlib/src/zip.erl and program routines zip:unzip/1, zip:unzip/2, zip:extract/1, zip:extract/2 unless the memory option is passed.

This issue affects OTP from OTP 17.0 until OTP 28.0.1, OTP 27.3.4.1 and OTP 26.2.5.13, corresponding to stdlib from 2.0 until 7.0.1, 6.2.2.1 and 5.2.3.4.

References

Affected packages

Debian:11 / erlang

Package

Name: erlang
Purl: pkg:deb/debian/erlang?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1:23.*

1:23.2.6+dfsg-1

1:23.2.6+dfsg-1+deb11u1

1:23.2.6+dfsg-1+deb11u2

1:24.*

1:24.0~rc1+dfsg-1

1:24.0~rc2+dfsg-1

1:24.0~rc3+dfsg-1

1:24.0.2+dfsg-1

1:24.0.3+dfsg-1

1:24.0.4+dfsg-1

1:24.0.5+dfsg-1

1:24.0.5+dfsg-2

1:24.0.6+dfsg-1

1:24.0.6+dfsg-2

1:24.1+dfsg-1

1:24.1.1+dfsg-1

1:24.1.4+dfsg-1

1:24.1.5+dfsg-1

1:24.1.7+dfsg-1

1:24.2+dfsg-1

1:24.2.1+dfsg-1

1:24.2.2+dfsg-1

1:24.3+dfsg-1

1:24.3.1+dfsg-1

1:24.3.2+dfsg-1

1:24.3.3+dfsg-1

1:24.3.4+dfsg-1

1:24.3.4.1+dfsg-1

1:24.3.4.5+dfsg-1

1:25.*

1:25.0~rc1+dfsg-1

1:25.0~rc2+dfsg-1

1:25.0~rc3+dfsg-1

1:25.0+dfsg-1

1:25.0.2+dfsg-1

1:25.0.3+dfsg-1

1:25.0.4+dfsg-1

1:25.1.1+dfsg-1

1:25.1.2+dfsg-1

1:25.2+dfsg-1

1:25.2.1+dfsg-1

1:25.2.1+dfsg-2

1:25.2.2+dfsg-1

1:25.2.3+dfsg-1

1:25.3.2.8+dfsg-1

1:25.3.2.10+dfsg-1

1:25.3.2.10+dfsg-2

1:25.3.2.11+dfsg-1

1:25.3.2.12+dfsg-1

1:25.3.2.12+dfsg-2

1:25.3.2.12+dfsg-3

1:26.*

1:26.0~rc2+dfsg-1

1:26.0~rc3+dfsg-1

1:26.0+dfsg-1

1:26.0.1+dfsg-1

1:26.0.2+dfsg-1

1:26.1.2+dfsg-1

1:26.2.1+dfsg-1

1:26.2.4+dfsg-1

1:27.*

1:27.0~rc3+dfsg-1

1:27.0~rc3+dfsg-2

1:27.0~rc3+dfsg-3

1:27.0~rc3+dfsg-4

1:27.0+dfsg-1

1:27.0.1+dfsg-1

1:27.0.1+dfsg-2

1:27.0.1+dfsg-3

1:27.1.2+dfsg-1

1:27.2+dfsg-1

1:27.2+dfsg-2

1:27.2+dfsg-3~exp1

1:27.2.1+dfsg-1

1:27.2.1+dfsg-2

1:27.2.2+dfsg-1

1:27.2.3+dfsg-1

1:27.2.4+dfsg-1

1:27.3+dfsg-1

1:27.3.1+dfsg-1

1:27.3.2+dfsg-1

1:27.3.3+dfsg-1

1:27.3.4+dfsg-1

1:28.*

1:28.0+dfsg-1

1:28.0.1+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / erlang

Package

Name: erlang
Purl: pkg:deb/debian/erlang?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1:25.*

1:25.2.3+dfsg-1

1:25.2.3+dfsg-1+deb12u1

1:25.3.2.8+dfsg-1

1:25.3.2.10+dfsg-1

1:25.3.2.10+dfsg-2

1:25.3.2.11+dfsg-1

1:25.3.2.12+dfsg-1

1:25.3.2.12+dfsg-2

1:25.3.2.12+dfsg-3

1:26.*

1:26.0~rc2+dfsg-1

1:26.0~rc3+dfsg-1

1:26.0+dfsg-1

1:26.0.1+dfsg-1

1:26.0.2+dfsg-1

1:26.1.2+dfsg-1

1:26.2.1+dfsg-1

1:26.2.4+dfsg-1

1:27.*

1:27.0~rc3+dfsg-1

1:27.0~rc3+dfsg-2

1:27.0~rc3+dfsg-3

1:27.0~rc3+dfsg-4

1:27.0+dfsg-1

1:27.0.1+dfsg-1

1:27.0.1+dfsg-2

1:27.0.1+dfsg-3

1:27.1.2+dfsg-1

1:27.2+dfsg-1

1:27.2+dfsg-2

1:27.2+dfsg-3~exp1

1:27.2.1+dfsg-1

1:27.2.1+dfsg-2

1:27.2.2+dfsg-1

1:27.2.3+dfsg-1

1:27.2.4+dfsg-1

1:27.3+dfsg-1

1:27.3.1+dfsg-1

1:27.3.2+dfsg-1

1:27.3.3+dfsg-1

1:27.3.4+dfsg-1

1:28.*

1:28.0+dfsg-1

1:28.0.1+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / erlang

Package

Name: erlang
Purl: pkg:deb/debian/erlang?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1:25.*

1:25.2.3+dfsg-1

1:25.3.2.8+dfsg-1

1:25.3.2.10+dfsg-1

1:25.3.2.10+dfsg-2

1:25.3.2.11+dfsg-1

1:25.3.2.12+dfsg-1

1:25.3.2.12+dfsg-2

1:25.3.2.12+dfsg-3

1:26.*

1:26.0~rc2+dfsg-1

1:26.0~rc3+dfsg-1

1:26.0+dfsg-1

1:26.0.1+dfsg-1

1:26.0.2+dfsg-1

1:26.1.2+dfsg-1

1:26.2.1+dfsg-1

1:26.2.4+dfsg-1

1:27.*

1:27.0~rc3+dfsg-1

1:27.0~rc3+dfsg-2

1:27.0~rc3+dfsg-3

1:27.0~rc3+dfsg-4

1:27.0+dfsg-1

1:27.0.1+dfsg-1

1:27.0.1+dfsg-2

1:27.0.1+dfsg-3

1:27.1.2+dfsg-1

1:27.2+dfsg-1

1:27.2+dfsg-2

1:27.2+dfsg-3~exp1

1:27.2.1+dfsg-1

1:27.2.1+dfsg-2

1:27.2.2+dfsg-1

1:27.2.3+dfsg-1

1:27.2.4+dfsg-1

1:27.3+dfsg-1

1:27.3.1+dfsg-1

1:27.3.2+dfsg-1

1:27.3.3+dfsg-1

1:27.3.4+dfsg-1

1:28.*

1:28.0+dfsg-1

1:28.0.1+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}