CVE-2025-4748
BaseFortify
Publication date: 2025-06-16
Last updated on: 2026-04-06
Assigner: EEF
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-4748 is a path traversal vulnerability in the Erlang/OTP zip module that occurs when extracting files from a maliciously crafted zip archive containing absolute file paths. The vulnerability arises because the zip module does not properly sanitize filenames by removing leading slashes, drive letters, or device identifiers. As a result, files can be extracted to arbitrary absolute paths on the disk, potentially overwriting critical system files or placing files in unintended locations. This affects OTP versions from 17.0 up to before patched releases 28.0.1, 27.3.4.1, and 26.2.5.13, and impacts functions zip:unzip/1, zip:unzip/2, zip:extract/1, and zip:extract/2 unless the memory option is used. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with local access to extract files from a malicious zip archive to arbitrary absolute paths on the filesystem. This can lead to unauthorized modification or overwriting of critical system files or placing files in unintended locations, potentially compromising system integrity and availability. The attack requires low complexity and no privileges or user interaction, but it does not impact confidentiality. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting zip archive contents before extraction to check for absolute paths or unsafe filenames. A recommended approach is to use the Erlang function zip:list_dir/1 to list the contents of a zip file and verify that no files have absolute paths (e.g., leading slashes '/' or drive letters like 'C:'). This helps identify potentially malicious archives that could exploit the path traversal vulnerability. Specific commands depend on your environment, but in Erlang you can run: zip:list_dir("path_to_zip_file.zip") to list and inspect filenames before extraction. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Avoid extracting zip files using the vulnerable functions (zip:unzip/1, zip:unzip/2, zip:extract/1, zip:extract/2) without proper filename sanitization. 2) Use the memory option when extracting zip files to avoid writing files to disk. 3) Inspect zip archive contents with zip:list_dir/1 before extraction to ensure no absolute or unsafe paths are present. 4) Upgrade Erlang/OTP to a patched version where the vulnerability is fixed (OTP versions 26.2.5.13, 27.3.4.1, 28.0.1 or later). These versions include a fix that sanitizes filenames by stripping drive letters and leading slashes, preventing path traversal. [1, 2]