Absolute path traversal in zip:unzip/1,2

Weakness Type (CWE)

CWE-22 — CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CAPEC

CVSS 4.0 Score

4.8

MEDIUM

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L

Vulnerability description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (stdlib modules) allows Absolute Path Traversal, File Manipulation.

This vulnerability is associated with program files lib/stdlib/src/zip.erl and program routines zip:unzip/1, zip:unzip/2, zip:extract/1, zip:extract/2 unless the memory option is passed.

This issue affects OTP from OTP 17.0 until OTP 28.0.1, OTP 27.3.4.1 and OTP 26.2.5.13, corresponding to stdlib from 2.0 until 7.0.1, 6.2.2.1 and 5.2.3.4.

Affected

Erlang / OTP » `stdlib`

Module	Source File	Routine
`stdlib`	`lib/stdlib/src/zip.erl`	`zip:unzip/1`
		`zip:unzip/2`
		`zip:extract/1`
		`zip:extract/2`

Status	Version	Changes / Fixed in
affected	`pkg:otp/stdlib@2.0`	unaffected at `pkg:otp/stdlib@7.0.1` unaffected at `pkg:otp/stdlib@6.2.2.1` unaffected at `pkg:otp/stdlib@5.2.3.4`
affected	`17.0`	unaffected at `28.0.1` unaffected at `27.3.4.1` unaffected at `26.2.5.13`
affected	`07b8f441ca711f9812fad9e9115bab3c3aa92f79`	unaffected at `d9454dbccbaaad4b8796095c8e653b71b066dfaf` unaffected at `9b7b5431260e05a16eec3ecd530a232d0995d932` unaffected at `0ac548b57c0491196c27e39518b5f6acf9326c1e`

Workarounds

You can use zip:list_dir/1 on the archive and verify that no files contain absolute paths before extracting the archive to disk.

References

https://github.com/erlang/otp/security/advisories/GHSA-9g37-pgj9-wrhc vendor-advisory
https://www.erlang.org/doc/system/versions.html#order-of-versions x_version-scheme
https://github.com/erlang/otp/pull/9941 patch

Credits

Finder: Wander Nauta
Remediation developer: Lukas Backström
Remediation reviewer: Björn Gustavsson

CVE record as JSON: GET /cves/cve-2025-4748.json