CVE-2025-48039
Unverified Paths can Cause Excessive Use of System Resources
Vulnerability description
Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure.This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl.
This issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.
Affected
pkg:otp/ssh
| Module | Source File |
|---|---|
ssh_sftp
|
lib/ssh/src/ssh_sftpd.erl
|
| Status | Type | Version | Changes / Fixed in |
|---|---|---|---|
| affected | otp ⓘ | 3.0.1
|
|
pkg:github/erlang/otp
| Module | Source File |
|---|---|
ssh_sftp
|
lib/ssh/src/ssh_sftpd.erl
|
| Status | Type | Version | Changes / Fixed in |
|---|---|---|---|
| affected | otp ⓘ | 17.0
|
|
| affected | git ⓘ | 07b8f441ca71
|
|
Configurations
The SFTP subsystem must be enabled on the SSH server and the SSH port must be reachable by the attacker. SFTP is enabled by default unless explicitly disabled by setting {subsystems, []} in the SSH daemon configuration.
Workarounds
- Disable sftp
- limiting number of max_sessions allowed for sshd, so exploiting becomes more complicated
References
- https://github.com/erlang/otp/security/advisories/GHSA-rr5p-6856-j7h8 vendor-advisory related
- https://osv.dev/vulnerability/EEF-CVE-2025-48039 related
- https://github.com/erlang/otp/pull/10155 patch
- https://github.com/erlang/otp/commit/c242e6458967e9514bea351814151695807a54ac patch
- https://github.com/erlang/otp/commit/043ee3c943e2977c1acdd740ad13992fd60b6bf0 patch
Credits
- Remediation developer: Jakub Witczak
- Remediation reviewer: Ingela Andin
CVE record as JSON:
GET /cves/CVE-2025-48039.json
OSV record as JSON:
GET /osv/EEF-CVE-2025-48039.json