{"id":"CVE-2025-48041","details":"Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Flooding. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl.\n\nThis issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.","aliases":["EEF-CVE-2025-48041","GHSA-79c4-cvv7-4qm3"],"modified":"2026-04-10T05:28:06.222822Z","published":"2025-09-11T09:15:34.603Z","related":["SUSE-SU-2025:3807-1","SUSE-SU-2025:4035-1","openSUSE-SU-2025:15740-1"],"references":[{"type":"WEB","url":"https://www.erlang.org/doc/system/versions.html#order-of-versions"},{"type":"ADVISORY","url":"https://github.com/erlang/otp/security/advisories/GHSA-79c4-cvv7-4qm3"},{"type":"FIX","url":"https://github.com/erlang/otp/commit/5f9af63eec4657a37663828d206517828cb9f288"},{"type":"FIX","url":"https://github.com/erlang/otp/commit/d49efa2d4fa9e6f7ee658719cd76ffe7a33c2401"},{"type":"FIX","url":"https://github.com/erlang/otp/pull/10157"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/erlang/otp","events":[{"introduced":"0"},{"fixed":"5f9af63eec4657a37663828d206517828cb9f288"}]},{"type":"GIT","repo":"https://github.com/erlang/otp","events":[{"introduced":"0"},{"fixed":"d49efa2d4fa9e6f7ee658719cd76ffe7a33c2401"}]}],"versions":["OTP-17.0","OTP-18.0","OTP-18.0-rc1","OTP-19.0","OTP-19.0-rc1","OTP-19.0-rc2","OTP-20.0","OTP-20.0-rc1","OTP-20.0-rc2","OTP-21.0","OTP-21.0-rc1","OTP-21.0-rc2","OTP-22.0","OTP-22.0-rc1","OTP-22.0-rc2","OTP-22.0-rc3","OTP-23.0","OTP-23.0-rc1","OTP-23.0-rc2","OTP-23.0-rc3","OTP-24.0","OTP-24.0-rc1","OTP-24.0-rc2","OTP-24.0-rc3","OTP-25.0","OTP-25.0-rc1","OTP-25.0-rc2","OTP-25.0-rc3","OTP-26.0","OTP-26.0-rc1","OTP-26.0-rc2","OTP-26.0-rc3","OTP-26.1","OTP-26.2","OTP-26.2.3","OTP-26.2.4","OTP-26.2.5","OTP-26.2.5.1","OTP-26.2.5.10","OTP-26.2.5.11","OTP-26.2.5.12","OTP-26.2.5.13","OTP-26.2.5.14","OTP-26.2.5.2","OTP-26.2.5.3","OTP-26.2.5.4","OTP-26.2.5.5","OTP-26.2.5.6","OTP-26.2.5.7","OTP-26.2.5.8","OTP-26.2.5.9","OTP-27.0","OTP-27.0-rc1","OTP-27.0-rc2","OTP-27.0-rc3","OTP-27.1","OTP-27.2","OTP-27.3","OTP-27.3.1","OTP-27.3.2","OTP-27.3.3","OTP-27.3.4","OTP_17.0-rc1","OTP_17.0-rc2","OTP_R13B03","OTP_R13B04","OTP_R14A","OTP_R14B","OTP_R14B01","OTP_R14B02","OTP_R14B03","OTP_R15A","OTP_R15B","OTP_R16A_RELEASE_CANDIDATE","OTP_R16B","patch-base-26","patch-base-27"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-48041.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"}]}