CVE-2025-4748
Publication date 16 June 2025
Last updated 21 July 2025
Ubuntu priority
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (stdlib modules) allows Absolute Path Traversal, File Manipulation. This vulnerability is associated with program files lib/stdlib/src/zip.erl and program routines zip:unzip/1, zip:unzip/2, zip:extract/1, zip:extract/2 unless the memory option is passed. This issue affects OTP from OTP 17.0 until OTP 28.0.1, OTP 27.3.4.1 and OTP 26.2.5.13, corresponding to stdlib from 2.0 until 7.0.1, 6.2.2.1 and 5.2.3.4.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| erlang | 25.04 plucky |
Fixed 1:27.3+dfsg-1ubuntu1.2
|
| 24.04 LTS noble |
Fixed 1:25.3.2.8+dfsg-1ubuntu4.4
|
|
| 22.04 LTS jammy |
Fixed 1:24.2.1+dfsg-1ubuntu0.5
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
|
| 14.04 LTS trusty |
Needs evaluation
|
References
Related Ubuntu Security Notices (USN)
- USN-7656-1
- Erlang vulnerabilities
- 21 July 2025