CVE-2025-4748 is a path traversal vulnerability identified in the Erlang Open Telecom Platform (OTP), specifically within the standard library (stdlib) modules responsible for handling ZIP file operations. The vulnerability arises from improper limitation of pathname inputs in the zip.erl source file, affecting the functions zip:unzip/1, zip:unzip/2, zip:extract/1, and zip:extract/2 unless the 'memory' option is explicitly used. This flaw allows an attacker to perform absolute path traversal, enabling unauthorized file manipulation on the host system. The vulnerability affects a wide range of OTP versions, from OTP 17.0 through OTP 28.0.1, including intermediate patch versions such as OTP 27.3.4.1 and OTP 26.2.5.13, and corresponding stdlib versions from 2.0 up to 7.0.1. The core issue is that the vulnerable functions do not adequately sanitize or restrict file paths extracted from ZIP archives, allowing crafted ZIP files to overwrite or create files outside the intended extraction directory. This can lead to arbitrary file writes, potentially overwriting critical system or application files, which may result in privilege escalation, code execution, or denial of service. The CVSS 4.0 base score is 4.8 (medium severity), reflecting that the attack vector is local (AV:L), requires low attack complexity (AC:L), no privileges (PR:N), but does require user interaction (UI:P). The vulnerability impacts confidentiality, integrity, and availability to a limited extent, with no scope change. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability is particularly relevant to systems and applications that utilize Erlang OTP's ZIP handling capabilities, especially those that process untrusted ZIP files without the 'memory' option enabled, which mitigates the issue by avoiding filesystem extraction.

For European organizations, the impact of CVE-2025-4748 can be significant in environments where Erlang OTP is used, particularly in telecommunications, messaging platforms, distributed systems, and backend services that rely on Erlang for concurrency and fault tolerance. Exploitation could allow attackers to manipulate files on affected systems, potentially leading to unauthorized code execution, data corruption, or service disruption. This is especially critical for organizations handling sensitive data or critical infrastructure, as file manipulation could compromise system integrity or availability. The requirement for local access and user interaction limits remote exploitation but does not eliminate risk, especially in multi-user environments or where attackers can trick users into processing malicious ZIP files. Given Erlang's widespread use in telecom and financial sectors, the vulnerability could affect core services, leading to operational disruptions and reputational damage. Additionally, the lack of patches at the time of disclosure increases the window of exposure. European organizations with legacy OTP versions or those slow to update are at higher risk. The medium severity rating suggests moderate urgency but should not be underestimated in high-value or sensitive environments.

Avoid processing ZIP files from untrusted sources or implement strict validation of ZIP contents before extraction. Use the 'memory' option in zip:unzip and zip:extract functions to handle ZIP contents in-memory rather than extracting to the filesystem, mitigating path traversal risks. Upgrade Erlang OTP to versions beyond 28.0.1 once patches addressing this vulnerability are released. Implement application-level sandboxing or containerization to limit the impact of potential file manipulations. Monitor file system changes and maintain integrity checks on critical files to detect unauthorized modifications. Educate users and administrators about the risks of opening or processing ZIP files from unverified sources, reducing the likelihood of user interaction-based exploitation. Apply strict access controls and least privilege principles to limit the ability of compromised processes to affect critical system components. Review and harden backup and recovery procedures to quickly restore systems in case of exploitation.