CVE-2025-48038

Summary

Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl.

This issue affects OTP from OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.

Affected Software

VendorProductVersion RangeStatus
ErlangOTP3.0.1 < *affected
ErlangOTP17.0 < *affected
ErlangOTP07b8f441ca711f9812fad9e9115bab3c3aa92f79 < *affected

Weaknesses

  • CWE-770: CWE-770 Allocation of Resources Without Limits or Throttling
  • CWE-400: CWE-400 Uncontrolled Resource Consumption

Workarounds

  • Disable sftp
  • limiting number of max_sessions allowed for sshd, so exploiting becomes more complicated

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References