CVE-2025-4748 is a medium-severity vulnerability classified under CWE-22, which pertains to improper limitation of a pathname to a restricted directory, commonly known as a path traversal vulnerability. This specific issue affects the Erlang Open Telecom Platform (OTP), particularly within the standard library (stdlib) modules responsible for handling ZIP file operations. The vulnerable functions include zip:unzip/1, zip:unzip/2, zip:extract/1, and zip:extract/2, unless the 'memory' option is explicitly passed to these functions. The vulnerability allows an attacker to perform absolute path traversal, enabling unauthorized file manipulation such as overwriting or extracting files outside the intended directory boundaries. This can lead to unauthorized file creation, modification, or deletion on the host system. The affected versions span a wide range of OTP releases, from OTP 17.0 through OTP 28.0.1, including specific patch versions 27.3.4.1 and 26.2.5.13, corresponding to stdlib versions 2.0 through 7.0.1 and related patch versions. The vulnerability arises because the ZIP extraction routines do not properly sanitize or restrict file paths within ZIP archives, allowing crafted archives to escape the target extraction directory. The CVSS 4.0 base score is 4.8, reflecting a medium severity with local attack vector, low attack complexity, no privileges required, but user interaction needed. The impact on confidentiality and integrity is low to limited, with some impact on availability possible if critical files are overwritten. No known exploits are currently reported in the wild, and no official patches have been linked yet, indicating that mitigation may rely on configuration or workaround until a fix is released.

For European organizations, the impact of this vulnerability depends largely on the extent to which Erlang OTP is used within their software stacks, particularly in telecommunications, messaging platforms, or backend services that process ZIP files using the vulnerable stdlib modules. Exploitation could allow attackers with local access or the ability to trick users into processing malicious ZIP files to manipulate files on the system, potentially leading to data corruption, service disruption, or privilege escalation if critical system files are targeted. While the vulnerability requires local access or user interaction, it poses a risk in environments where untrusted ZIP files are processed automatically or by privileged services. This could affect service availability and data integrity, impacting business continuity and compliance with data protection regulations such as GDPR if sensitive data is compromised or systems are disrupted. The absence of known exploits reduces immediate risk, but the broad range of affected versions and the common use of Erlang in European telecom and software sectors mean organizations should proactively assess exposure.

European organizations should take the following specific actions: 1) Audit all systems and applications to identify usage of Erlang OTP versions between 17.0 and 28.0.1, focusing on components that handle ZIP file extraction via stdlib modules. 2) Where possible, configure applications to use the 'memory' option when invoking zip:unzip or zip:extract functions, as this option is noted to mitigate the vulnerability by avoiding file system extraction. 3) Implement strict input validation and sandboxing for any ZIP files processed, ensuring that untrusted archives are handled in isolated environments to prevent unauthorized file system access. 4) Monitor Erlang OTP vendor channels for official patches or updates addressing CVE-2025-4748 and plan timely deployment. 5) Educate users and administrators about the risks of processing untrusted ZIP files and enforce policies to limit such actions. 6) Employ file integrity monitoring on critical systems to detect unauthorized file changes that could result from exploitation. 7) Consider network segmentation and access controls to limit local access to vulnerable systems, reducing the attack surface. These measures go beyond generic advice by focusing on configuration options, operational controls, and proactive monitoring tailored to the nature of this vulnerability.