CVE-2025-48038
Unverified File Handles can Cause Excessive Use of System Resources
Vulnerability description
Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure.This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl.
This issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.
Affected
pkg:otp/ssh
| Module | Source File |
|---|---|
ssh_sftp
|
lib/ssh/src/ssh_sftpd.erl
|
| Status | Type | Version | Changes / Fixed in |
|---|---|---|---|
| affected | otp ⓘ | 3.0.1
|
|
pkg:github/erlang/otp
| Module | Source File |
|---|---|
ssh_sftp
|
lib/ssh/src/ssh_sftpd.erl
|
| Status | Type | Version | Changes / Fixed in |
|---|---|---|---|
| affected | otp ⓘ | 17.0
|
|
| affected | git ⓘ | 07b8f441ca71
|
|
Configurations
The SFTP subsystem must be enabled on the SSH server and the SSH port must be reachable by the attacker. SFTP is enabled by default unless explicitly disabled by setting {subsystems, []} in the SSH daemon configuration.
Workarounds
- Disable sftp
- limiting number of max_sessions allowed for sshd, so exploiting becomes more complicated
References
- https://github.com/erlang/otp/security/advisories/GHSA-pvj7-9652-7h9r vendor-advisory related
- https://osv.dev/vulnerability/EEF-CVE-2025-48038 related
- https://github.com/erlang/otp/pull/10156 patch
- https://github.com/erlang/otp/commit/4e3bf86777ab3db7220c11d8ddabf15970ddd10a patch
- https://github.com/erlang/otp/commit/f09e0201ff701993dc24a08f15e524daf72db42f patch
Credits
- Remediation developer: Jakub Witczak
- Remediation reviewer: Ingela Andin
CVE record as JSON:
GET /cves/CVE-2025-48038.json
OSV record as JSON:
GET /osv/EEF-CVE-2025-48038.json