Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-4748

CVE-2025-4748: Erlang OTP Path Traversal Vulnerability

CVE-2025-4748 is a path traversal vulnerability in Erlang OTP stdlib modules affecting zip extraction functions. Attackers can manipulate files outside intended directories. This article covers technical details, affected versions, impact, and mitigation strategies.

Updated:

CVE-2025-4748 Overview

CVE-2025-4748 is a Path Traversal vulnerability affecting Erlang OTP's stdlib zip module. The vulnerability exists in the zip:unzip/1, zip:unzip/2, zip:extract/1, and zip:extract/2 functions within lib/stdlib/src/zip.erl. When extracting ZIP archives, the vulnerable functions fail to properly sanitize filenames, allowing attackers to craft malicious archives containing path traversal sequences (such as ../) that can write files outside the intended extraction directory.

Critical Impact

Attackers can manipulate file extraction paths to write arbitrary files to unauthorized locations on the filesystem, potentially overwriting critical system or application files.

Affected Products

  • Erlang OTP versions 17.0 through 28.0.1
  • Erlang OTP versions 27.0 through 27.3.4.1
  • Erlang OTP versions 26.0 through 26.2.5.13
  • stdlib versions 2.0 through 7.0.1
  • stdlib versions 6.0 through 6.2.2.1
  • stdlib versions 5.0 through 5.2.3.4

Discovery Timeline

  • June 16, 2025 - CVE-2025-4748 published to NVD
  • July 4, 2025 - Last updated in NVD database

Technical Details for CVE-2025-4748

Vulnerability Analysis

This Path Traversal vulnerability (CWE-22) exists in the Erlang OTP stdlib zip module's file extraction routines. The root issue is that the get_filename/2 function in zip.erl directly uses filenames from ZIP archive entries without sanitization. This allows maliciously crafted ZIP archives to contain entries with path traversal sequences like ../../../etc/passwd or absolute paths that escape the intended extraction directory.

The vulnerability requires local access to trigger, as an attacker must convince a user or application to extract a malicious ZIP archive. While user interaction is required, the potential for file manipulation and integrity compromise makes this a significant security concern for applications that process untrusted ZIP files using Erlang's built-in zip module.

Root Cause

The vulnerability stems from the get_filename/2 function in lib/stdlib/src/zip.erl returning filenames directly from ZIP archive entries without any validation or sanitization. Both regular files and directory entries passed through this function without checking for path traversal sequences or absolute paths. The vulnerable code would accept any filename embedded in the ZIP archive and use it directly for file creation during extraction.

Attack Vector

The attack requires a local vector where an attacker crafts a malicious ZIP archive containing files with path traversal sequences in their names. When a victim application or user extracts this archive using zip:unzip/1, zip:unzip/2, zip:extract/1, or zip:extract/2 (without the memory option), the malicious filenames are used verbatim, causing files to be written outside the intended extraction directory. This can result in:

  1. Overwriting sensitive configuration files
  2. Planting malicious executables in system directories
  3. Modifying application data or code
  4. Creating unauthorized files in privileged locations

The security patch introduces a sanitize_filename/1 function that validates and sanitizes all filenames before they are used for file creation:

erlang
get_filename({Name, _, _}, Type) ->
    get_filename(Name, Type);
get_filename(Name, regular) ->
-    Name;
+    sanitize_filename(Name);
get_filename(Name, directory) ->
    %% Ensure trailing slash
    case lists:reverse(Name) of
-	[$/ | _Rev] -> Name;
-	Rev         -> lists:reverse([$/ | Rev])
+	[$/ | _Rev] -> sanitize_filename(Name);
+	Rev         -> sanitize_filename(lists:reverse([$/ | Rev]))
    end.

add_cwd(_CWD, {_Name, _} = F) -> F;

Source: GitHub Commit 578d4001575a

Detection Methods for CVE-2025-4748

Indicators of Compromise

  • Files created in unexpected directories outside the intended extraction path
  • Presence of files with names containing path traversal sequences (../) in system logs or audit trails
  • Unexpected modifications to system configuration files or application binaries
  • ZIP extraction operations followed by file writes to sensitive directories

Detection Strategies

  • Monitor file system operations for writes that occur outside expected extraction directories during ZIP operations
  • Implement logging around calls to zip:unzip/1, zip:unzip/2, zip:extract/1, and zip:extract/2 functions in Erlang applications
  • Audit incoming ZIP archives for entries containing ../ sequences or absolute paths before extraction
  • Review application logs for Erlang zip module operations processing untrusted input

Monitoring Recommendations

  • Enable file integrity monitoring (FIM) on critical system directories and application installation paths
  • Configure alerts for file creation events in sensitive directories such as /etc, /usr/bin, or application configuration directories
  • Monitor Erlang application logs for ZIP extraction operations and correlate with filesystem changes

How to Mitigate CVE-2025-4748

Immediate Actions Required

  • Upgrade Erlang OTP to patched versions: OTP 28.0.1, OTP 27.3.4.1, or OTP 26.2.5.13 (corresponding to stdlib 7.0.1, 6.2.2.1, or 5.2.3.4)
  • Audit applications for usage of zip:unzip/1, zip:unzip/2, zip:extract/1, and zip:extract/2 functions with untrusted input
  • Consider using the memory option when extracting ZIP archives from untrusted sources as a temporary mitigation
  • Review any files that may have been extracted from untrusted ZIP archives for potential compromise

Patch Information

Erlang OTP has released security patches across multiple maintenance branches. The fixes have been applied in commits 578d4001575a (maint-26), ba2f2bc5f45f (maint-27), and 5a55feec10c9 (maint-28). For complete details, refer to the GitHub Security Advisory GHSA-9g37-pgj9-wrhc and GitHub Pull Request #9941.

Workarounds

  • Use the memory option with zip:unzip/2 or zip:extract/2 to extract archive contents to memory instead of directly to the filesystem, then validate filenames before writing
  • Implement pre-extraction validation to scan ZIP archive entries for path traversal sequences before calling the extraction functions
  • Run Erlang applications that process untrusted ZIP files in isolated environments or containers with restricted filesystem access
  • Apply principle of least privilege to file system permissions for directories where ZIP extraction occurs
bash
# Check Erlang OTP version
erl -eval 'erlang:display(erlang:system_info(otp_release)), halt().'

# Upgrade Erlang OTP on Debian/Ubuntu-based systems
sudo apt update && sudo apt install erlang

# For manual builds, download patched versions from erlang.org
# OTP 28.0.1, OTP 27.3.4.1, or OTP 26.2.5.13

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne