Login Sign Up

CVE-2020-25623

7.5 HIGH

📋 TL;DR

This CVE describes a directory traversal vulnerability in Erlang/OTP's inets httpd application. An attacker can send specially crafted HTTP requests to read arbitrary files from the server's filesystem. Systems running vulnerable versions of Erlang/OTP with httpd enabled are affected.

💻 Affected Systems

Products:
  • Erlang/OTP
Versions: 22.3.x before 22.3.4.6 and 23.x before 23.1
Operating Systems: All platforms running Erlang/OTP
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when using the inets httpd application. Many Erlang applications use other HTTP servers or don't expose httpd to untrusted networks.

📦 What is this software?

Erlang\/otp by Erlang

View all CVEs affecting Erlang\/otp →

Erlang\/otp by Erlang

View all CVEs affecting Erlang\/otp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through reading sensitive files like SSH keys, configuration files, or database credentials, potentially leading to lateral movement and data exfiltration.

🟠

Likely Case

Unauthorized access to sensitive files containing application secrets, configuration data, or user information, leading to data breach and potential privilege escalation.

🟢

If Mitigated

Limited file access restricted by proper file permissions and network segmentation, with minimal impact due to defense-in-depth controls.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Directory traversal vulnerabilities are well-understood and easily weaponized. The vulnerability requires httpd to be accessible to attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 22.3.4.6 or 23.1

Vendor Advisory: https://www.erlang.org/news

Restart Required: Yes

Instructions:

1. Upgrade Erlang/OTP to version 22.3.4.6 or 23.1 or later. 2. Download from erlang.org/downloads or GitHub releases. 3. Install the updated version. 4. Restart all Erlang applications using inets httpd.

🔧 Temporary Workarounds

Disable httpd or restrict access

all

Disable the inets httpd application if not needed, or restrict network access to only trusted sources.

Modify Erlang application configuration to disable httpd or configure firewall rules to restrict access

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate vulnerable systems from untrusted networks
  • Apply strict file system permissions to limit accessible files and monitor for unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Check Erlang/OTP version and verify if inets httpd is enabled in application configuration.

Check Version:

erl -eval 'erlang:display(erlang:system_info(otp_release)), halt().'

Verify Fix Applied:

Verify Erlang/OTP version is 22.3.4.6 or 23.1 or later, and test with directory traversal attempts.

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests containing directory traversal sequences (../, ..\)
  • Access to unexpected file paths in httpd logs

Network Indicators:

  • HTTP requests with encoded directory traversal payloads
  • Unusual file access patterns from single IPs

SIEM Query:

http.url:*%2e%2e%2f* OR http.url:*..%2f* OR http.uri:*../*

📊 Metadata

CVE ID: CVE-2020-25623
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-22
Published: October 2, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-25623, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)