[Pkg-erlang-devel] Bug#1107939: erlang: CVE-2025-4748
Salvatore Bonaccorso
carnil at debian.org
Tue Jun 17 19:51:37 BST 2025
Source: erlang
Version: 1:27.3.4+dfsg-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/erlang/otp/pull/9941
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for erlang.
CVE-2025-4748[0]:
| Improper Limitation of a Pathname to a Restricted Directory ('Path
| Traversal') vulnerability in Erlang OTP (stdlib modules) allows
| Absolute Path Traversal, File Manipulation. This vulnerability is
| associated with program files lib/stdlib/src/zip.erl and program
| routines zip:unzip/1, zip:unzip/2, zip:extract/1,
| zip:extract/2 unless the memory option is passed. This issue
| affects OTP from OTP 17.0 until OTP 28.0.1, OTP 27.3.4.1 and
| OTP 26.2.5.13, corresponding to stdlib from 2.0 until 7.0.1, 6.2.2.1
| and 5.2.3.4.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-4748
https://www.cve.org/CVERecord?id=CVE-2025-4748
[1] https://github.com/erlang/otp/pull/9941
[2] https://github.com/erlang/otp/security/advisories/GHSA-9g37-pgj9-wrhc
[3] https://github.com/erlang/otp/commit/10608879c81332af2d3c00db61ee173c93c1ea4e
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-erlang-devel
mailing list