| Package | erlang |
|---|---|
| Version | 1:19.2.1+dfsg-2+really23.3.4.18-0+deb9u5 (stretch), 1:22.2.7+dfsg-1+deb10u4 (buster) |
| Related CVEs | CVE-2025-4748 CVE-2025-48038 CVE-2025-48039 CVE-2025-48041 |
Multiple vulnerabilities were fixed in Erlang a concurrent, real-time, distributed functional language.
- CVE-2025-4748
-
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in Erlang OTP (stdlib modules) allows Absolute Path Traversal, File Manipulation. This vulnerability is associated with program files lib/stdlib/src/zip.erl and program routines zip:unzip/1, zip:unzip/2, zip:extract/1, zip:extract/2 unless the memory option is passed.
- CVE-2025-48038, CVE-2025-48039, CVE-2025-48041
-
Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure, Flooding. These vulnerabilities are associated with program files lib/ssh/src/ssh_sftpd.erl.
For Debian 10 buster, these problems have been fixed in version 1:22.2.7+dfsg-1+deb10u4.
For Debian 9 stretch, these problems have been fixed in version 1:19.2.1+dfsg-2+really23.3.4.18-0+deb9u5.
We recommend that you upgrade your erlang packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.