CVE-2025-4748: 
CBL Mariner vulnerability analysis and mitigation

An absolute-path traversal vulnerability (CVE-2025-4748) was discovered in Erlang OTP's standard library (stdlib modules) affecting versions from OTP 17.0 through OTP 28.0.0. The vulnerability exists in the ZIP routines (zip:unzip/1,2 and zip:extract/1,2) when the memory option is not used. The issue was discovered by Wander Nauta and affects stdlib versions from 2.0 until 7.0.1 (Openwall Advisory, GitHub Advisory).

The vulnerability allows absolute path traversal and file manipulation through the ZIP module's file extraction functionality. When extracting files to disk and the archive contains maliciously crafted entries with absolute file paths, the module processes them verbatim instead of stripping the leading slash, drive, or device letter. The issue specifically affects the program files lib/stdlib/src/zip.erl and routines zip:unzip/1, zip:unzip/2, zip:extract/1, and zip:extract/2 unless the memory option is passed. The vulnerability has been assigned a CVSS v4.0 score of 4.8 (Medium) with the vector string CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L (NVD).

When exploited, this vulnerability allows an attacker to create or overwrite arbitrary files that are writable by the Erlang VM. The impact is particularly significant when processing untrusted ZIP archives, as it could lead to unauthorized file manipulation on the system (GitHub Advisory).

The vulnerability has been patched in versions OTP 28.0.1, OTP 27.3.4.1, and OTP 26.2.5.13. Until systems can be upgraded, two workarounds are available: 1) Pass the memory option and perform custom validation before writing files to disk, or 2) Use zip:list_dir/1 to check for absolute paths in archives before extraction. The patch is available in unified diff form at the GitHub pull request (Openwall Advisory).