{"id":"EEF-CVE-2025-48039","summary":"Unverified Paths can Cause Excessive Use of System Resources","details":"## Summary\n\nAllocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl.\n\nThis issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.\n\n## Workaround\n\n*  Disable sftp\n  *  limiting number of max_sessions allowed for sshd, so exploiting becomes more complicated\n\n## Configuration\n\nThe SFTP subsystem must be enabled on the SSH server and the SSH port must be reachable by the attacker. SFTP is enabled by default unless explicitly disabled by setting {subsystems, []} in the SSH daemon configuration.","aliases":["CVE-2025-48039","GHSA-rr5p-6856-j7h8"],"modified":"2026-05-27T16:00:05.925806828Z","published":"2025-09-11T08:13:36.878Z","database_specific":{"cwe_ids":["CWE-770","CWE-400"],"cpe_ids":["cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"],"capec_ids":["CAPEC-130","CAPEC-131"]},"references":[{"type":"ADVISORY","url":"https://github.com/erlang/otp/security/advisories/GHSA-rr5p-6856-j7h8"},{"type":"WEB","url":"https://cna.erlef.org/cves/CVE-2025-48039.html"},{"type":"WEB","url":"https://www.erlang.org/doc/system/versions.html#order-of-versions"},{"type":"FIX","url":"https://github.com/erlang/otp/pull/10155"},{"type":"FIX","url":"https://github.com/erlang/otp/commit/c242e6458967e9514bea351814151695807a54ac"},{"type":"FIX","url":"https://github.com/erlang/otp/commit/043ee3c943e2977c1acdd740ad13992fd60b6bf0"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/erlang/otp","events":[{"introduced":"07b8f441ca711f9812fad9e9115bab3c3aa92f79"},{"fixed":"c242e6458967e9514bea351814151695807a54ac"},{"fixed":"043ee3c943e2977c1acdd740ad13992fd60b6bf0"}]}],"versions":["patch-base-26","OTP-26.2.5","patch-base-27","OTP-27.3.4","OTP-26.2.5.9","OTP-27.0","OTP-26.2.5.12","OTP-27.3","OTP-26.2.3","OTP-27.3.3","OTP-26.2.5.14","OTP-26.0","OTP-26.2.5.13","OTP-25.0","OTP-26.2.5.11","OTP-27.3.2","OTP-26.2.5.10","OTP-27.2","OTP-27.3.1","OTP-26.2.5.8","OTP-26.2.5.7","OTP-26.2.5.6","OTP-27.1","OTP-26.2.5.5","OTP-26.2.5.4","OTP-26.2.5.3","OTP-26.2","OTP-26.2.5.2","OTP-26.2.5.1","OTP-26.2.4","OTP-27.0-rc3","OTP-27.0-rc2","OTP-27.0-rc1","OTP-24.0","OTP-26.1","OTP-26.0-rc3","OTP-26.0-rc2","OTP-26.0-rc1","OTP-23.0","OTP-21.0","OTP-25.0-rc3","OTP-25.0-rc2","OTP-25.0-rc1","OTP-22.0","OTP-24.0-rc3","OTP-24.0-rc2","OTP-24.0-rc1","OTP-23.0-rc3","OTP-23.0-rc2","OTP-23.0-rc1","OTP-20.0","OTP-22.0-rc3","OTP-22.0-rc2","OTP-22.0-rc1","OTP-19.0","OTP-21.0-rc2","OTP-18.0","OTP-21.0-rc1","OTP-17.0","OTP-20.0-rc2","OTP-20.0-rc1","OTP-19.0-rc2","OTP-19.0-rc1","OTP-18.0-rc1"],"database_specific":{"source":"https://cna.erlef.org/osv/EEF-CVE-2025-48039.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"}],"credits":[{"name":"Jakub Witczak","type":"REMEDIATION_DEVELOPER"},{"name":"Ingela Anderton Andin","type":"REMEDIATION_REVIEWER"}]}