CVE-2025-4748: Erlang OTP Path Traversal Vulnerability

CVE-2025-4748 Overview

CVE-2025-4748 is a Path Traversal vulnerability affecting Erlang OTP's stdlib zip module. The vulnerability exists in the zip:unzip/1, zip:unzip/2, zip:extract/1, and zip:extract/2 functions within lib/stdlib/src/zip.erl. When extracting ZIP archives, the vulnerable functions fail to properly sanitize filenames, allowing attackers to craft malicious archives containing path traversal sequences (such as ../) that can write files outside the intended extraction directory.

Critical Impact
Attackers can manipulate file extraction paths to write arbitrary files to unauthorized locations on the filesystem, potentially overwriting critical system or application files.

Affected Products

Erlang OTP versions 17.0 through 28.0.1
Erlang OTP versions 27.0 through 27.3.4.1
Erlang OTP versions 26.0 through 26.2.5.13
stdlib versions 2.0 through 7.0.1
stdlib versions 6.0 through 6.2.2.1
stdlib versions 5.0 through 5.2.3.4

Discovery Timeline

June 16, 2025 - CVE-2025-4748 published to NVD
July 4, 2025 - Last updated in NVD database

Technical Details for CVE-2025-4748

Vulnerability Analysis

This Path Traversal vulnerability (CWE-22) exists in the Erlang OTP stdlib zip module's file extraction routines. The root issue is that the get_filename/2 function in zip.erl directly uses filenames from ZIP archive entries without sanitization. This allows maliciously crafted ZIP archives to contain entries with path traversal sequences like ../../../etc/passwd or absolute paths that escape the intended extraction directory.

The vulnerability requires local access to trigger, as an attacker must convince a user or application to extract a malicious ZIP archive. While user interaction is required, the potential for file manipulation and integrity compromise makes this a significant security concern for applications that process untrusted ZIP files using Erlang's built-in zip module.

Root Cause

The vulnerability stems from the get_filename/2 function in lib/stdlib/src/zip.erl returning filenames directly from ZIP archive entries without any validation or sanitization. Both regular files and directory entries passed through this function without checking for path traversal sequences or absolute paths. The vulnerable code would accept any filename embedded in the ZIP archive and use it directly for file creation during extraction.

Attack Vector

The attack requires a local vector where an attacker crafts a malicious ZIP archive containing files with path traversal sequences in their names. When a victim application or user extracts this archive using zip:unzip/1, zip:unzip/2, zip:extract/1, or zip:extract/2 (without the memory option), the malicious filenames are used verbatim, causing files to be written outside the intended extraction directory. This can result in:

Overwriting sensitive configuration files
Planting malicious executables in system directories
Modifying application data or code
Creating unauthorized files in privileged locations

The security patch introduces a sanitize_filename/1 function that validates and sanitizes all filenames before they are used for file creation:

erlang

get_filename({Name, _, _}, Type) ->
    get_filename(Name, Type);
get_filename(Name, regular) ->
-    Name;
+    sanitize_filename(Name);
get_filename(Name, directory) ->
    %% Ensure trailing slash
    case lists:reverse(Name) of
-	[$/ | _Rev] -> Name;
-	Rev         -> lists:reverse([$/ | Rev])
+	[$/ | _Rev] -> sanitize_filename(Name);
+	Rev         -> sanitize_filename(lists:reverse([$/ | Rev]))
    end.

add_cwd(_CWD, {_Name, _} = F) -> F;

Source: GitHub Commit 578d4001575a

Detection Methods for CVE-2025-4748

Indicators of Compromise

Files created in unexpected directories outside the intended extraction path
Presence of files with names containing path traversal sequences (../) in system logs or audit trails
Unexpected modifications to system configuration files or application binaries
ZIP extraction operations followed by file writes to sensitive directories

Detection Strategies

Monitor file system operations for writes that occur outside expected extraction directories during ZIP operations
Implement logging around calls to zip:unzip/1, zip:unzip/2, zip:extract/1, and zip:extract/2 functions in Erlang applications
Audit incoming ZIP archives for entries containing ../ sequences or absolute paths before extraction
Review application logs for Erlang zip module operations processing untrusted input

Monitoring Recommendations

Enable file integrity monitoring (FIM) on critical system directories and application installation paths
Configure alerts for file creation events in sensitive directories such as /etc, /usr/bin, or application configuration directories
Monitor Erlang application logs for ZIP extraction operations and correlate with filesystem changes

How to Mitigate CVE-2025-4748

Immediate Actions Required

Upgrade Erlang OTP to patched versions: OTP 28.0.1, OTP 27.3.4.1, or OTP 26.2.5.13 (corresponding to stdlib 7.0.1, 6.2.2.1, or 5.2.3.4)
Audit applications for usage of zip:unzip/1, zip:unzip/2, zip:extract/1, and zip:extract/2 functions with untrusted input
Consider using the memory option when extracting ZIP archives from untrusted sources as a temporary mitigation
Review any files that may have been extracted from untrusted ZIP archives for potential compromise

Patch Information

Erlang OTP has released security patches across multiple maintenance branches. The fixes have been applied in commits 578d4001575a (maint-26), ba2f2bc5f45f (maint-27), and 5a55feec10c9 (maint-28). For complete details, refer to the GitHub Security Advisory GHSA-9g37-pgj9-wrhc and GitHub Pull Request #9941.

Workarounds

Use the memory option with zip:unzip/2 or zip:extract/2 to extract archive contents to memory instead of directly to the filesystem, then validate filenames before writing
Implement pre-extraction validation to scan ZIP archive entries for path traversal sequences before calling the extraction functions
Run Erlang applications that process untrusted ZIP files in isolated environments or containers with restricted filesystem access
Apply principle of least privilege to file system permissions for directories where ZIP extraction occurs

bash

# Check Erlang OTP version
erl -eval 'erlang:display(erlang:system_info(otp_release)), halt().'

# Upgrade Erlang OTP on Debian/Ubuntu-based systems
sudo apt update && sudo apt install erlang

# For manual builds, download patched versions from erlang.org
# OTP 28.0.1, OTP 27.3.4.1, or OTP 26.2.5.13

CVE-2025-4748 Overview

Critical Impact
Attackers can manipulate file extraction paths to write arbitrary files to unauthorized locations on the filesystem, potentially overwriting critical system or application files.

Affected Products

Erlang OTP versions 17.0 through 28.0.1
Erlang OTP versions 27.0 through 27.3.4.1
Erlang OTP versions 26.0 through 26.2.5.13
stdlib versions 2.0 through 7.0.1
stdlib versions 6.0 through 6.2.2.1
stdlib versions 5.0 through 5.2.3.4

Discovery Timeline

June 16, 2025 - CVE-2025-4748 published to NVD
July 4, 2025 - Last updated in NVD database

Technical Details for CVE-2025-4748

Vulnerability Analysis

Root Cause

Attack Vector

Overwriting sensitive configuration files
Planting malicious executables in system directories
Modifying application data or code
Creating unauthorized files in privileged locations

The security patch introduces a sanitize_filename/1 function that validates and sanitizes all filenames before they are used for file creation:

erlang

get_filename({Name, _, _}, Type) ->
    get_filename(Name, Type);
get_filename(Name, regular) ->
-    Name;
+    sanitize_filename(Name);
get_filename(Name, directory) ->
    %% Ensure trailing slash
    case lists:reverse(Name) of
-	[$/ | _Rev] -> Name;
-	Rev         -> lists:reverse([$/ | Rev])
+	[$/ | _Rev] -> sanitize_filename(Name);
+	Rev         -> sanitize_filename(lists:reverse([$/ | Rev]))
    end.

add_cwd(_CWD, {_Name, _} = F) -> F;

Source: GitHub Commit 578d4001575a

Detection Methods for CVE-2025-4748

Indicators of Compromise

Files created in unexpected directories outside the intended extraction path
Presence of files with names containing path traversal sequences (../) in system logs or audit trails
Unexpected modifications to system configuration files or application binaries
ZIP extraction operations followed by file writes to sensitive directories

Detection Strategies

Monitor file system operations for writes that occur outside expected extraction directories during ZIP operations
Implement logging around calls to zip:unzip/1, zip:unzip/2, zip:extract/1, and zip:extract/2 functions in Erlang applications
Audit incoming ZIP archives for entries containing ../ sequences or absolute paths before extraction
Review application logs for Erlang zip module operations processing untrusted input

Monitoring Recommendations

Enable file integrity monitoring (FIM) on critical system directories and application installation paths
Configure alerts for file creation events in sensitive directories such as /etc, /usr/bin, or application configuration directories
Monitor Erlang application logs for ZIP extraction operations and correlate with filesystem changes

How to Mitigate CVE-2025-4748

Immediate Actions Required

Upgrade Erlang OTP to patched versions: OTP 28.0.1, OTP 27.3.4.1, or OTP 26.2.5.13 (corresponding to stdlib 7.0.1, 6.2.2.1, or 5.2.3.4)
Audit applications for usage of zip:unzip/1, zip:unzip/2, zip:extract/1, and zip:extract/2 functions with untrusted input
Consider using the memory option when extracting ZIP archives from untrusted sources as a temporary mitigation
Review any files that may have been extracted from untrusted ZIP archives for potential compromise

Patch Information

Workarounds

Use the memory option with zip:unzip/2 or zip:extract/2 to extract archive contents to memory instead of directly to the filesystem, then validate filenames before writing
Implement pre-extraction validation to scan ZIP archive entries for path traversal sequences before calling the extraction functions
Run Erlang applications that process untrusted ZIP files in isolated environments or containers with restricted filesystem access
Apply principle of least privilege to file system permissions for directories where ZIP extraction occurs

bash

# Check Erlang OTP version
erl -eval 'erlang:display(erlang:system_info(otp_release)), halt().'

# Upgrade Erlang OTP on Debian/Ubuntu-based systems
sudo apt update && sudo apt install erlang

# For manual builds, download patched versions from erlang.org
# OTP 28.0.1, OTP 27.3.4.1, or OTP 26.2.5.13

CVE-2025-4748: Erlang OTP Path Traversal Vulnerability

CVE-2025-4748 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-4748

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-4748

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-4748

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2025-4748: Erlang OTP Path Traversal Vulnerability

CVE-2025-4748 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-4748

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-4748

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-4748

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform