Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2025-48039
PUBLISHED
More InfoOfficial Page
Assigner-EEF
Assigner Org ID-6b3ad84c-e1a6-4bf7-a703-f496b71e49db
View Known Exploited Vulnerability (KEV) details
Published At-11 Sep, 2025 | 08:13
Updated At-05 Jun, 2026 | 11:58
Rejected At-
▼CVE Numbering Authority (CNA)
Unverified Paths can Cause Excessive Use of System Resources

Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP from OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.

Affected Products
Vendor
Erlang
Product
OTP
Package Name
ssh
Repo
https://github.com/erlang/otp
CPEs
  • cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Modules
  • ssh_sftp
Program Files
  • lib/ssh/src/ssh_sftpd.erl
Default Status
unknown
Versions
Affected
  • From 3.0.1 before * (otp)
    • -> unaffectedfrom5.3.3
    • -> unaffectedfrom5.2.11.3
    • -> unaffectedfrom5.1.4.12
Vendor
Erlang
Product
OTP
Collection URL
https://github.com
Package Name
erlang/otp
Repo
https://github.com/erlang/otp
CPEs
  • cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Modules
  • ssh_sftp
Program Files
  • lib/ssh/src/ssh_sftpd.erl
Default Status
unknown
Versions
Affected
  • From 17.0 before * (otp)
    • -> unaffectedfrom28.0.3
    • -> unaffectedfrom27.3.4.3
    • -> unaffectedfrom26.2.5.15
  • From 07b8f441ca711f9812fad9e9115bab3c3aa92f79 before * (git)
    • -> unaffectedfromc242e6458967e9514bea351814151695807a54ac
    • -> unaffectedfrom043ee3c943e2977c1acdd740ad13992fd60b6bf0
Problem Types
TypeCWE IDDescription
CWECWE-770CWE-770 Allocation of Resources Without Limits or Throttling
CWECWE-400CWE-400 Uncontrolled Resource Consumption
Type: CWE
CWE ID: CWE-770
Description: CWE-770 Allocation of Resources Without Limits or Throttling
Type: CWE
CWE ID: CWE-400
Description: CWE-400 Uncontrolled Resource Consumption
Metrics
VersionBase scoreBase severityVector
4.05.3MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Version: 4.0
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-130CAPEC-130 Excessive Allocation
CAPEC-131CAPEC-131 Resource Leak Exposure
CAPEC ID: CAPEC-130
Description: CAPEC-130 Excessive Allocation
CAPEC ID: CAPEC-131
Description: CAPEC-131 Resource Leak Exposure
Solutions
Configurations

The SFTP subsystem must be enabled on the SSH server and the SSH port must be reachable by the attacker. SFTP is enabled by default unless explicitly disabled by setting {subsystems, []} in the SSH daemon configuration.

Workarounds

* Disable sftp * limiting number of max_sessions allowed for sshd, so exploiting becomes more complicated

Exploits
Credits
remediation developer
Jakub Witczak
remediation reviewer
Ingela Anderton Andin
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/erlang/otp/security/advisories/GHSA-rr5p-6856-j7h8
vendor-advisory
related
https://cna.erlef.org/cves/CVE-2025-48039.html
related
https://osv.dev/vulnerability/EEF-CVE-2025-48039
related
https://www.erlang.org/doc/system/versions.html#order-of-versions
x_version-scheme
https://github.com/erlang/otp/pull/10155
patch
https://github.com/erlang/otp/commit/c242e6458967e9514bea351814151695807a54ac
patch
https://github.com/erlang/otp/commit/043ee3c943e2977c1acdd740ad13992fd60b6bf0
patch
Hyperlink: https://github.com/erlang/otp/security/advisories/GHSA-rr5p-6856-j7h8
Resource:
vendor-advisory
related
Hyperlink: https://cna.erlef.org/cves/CVE-2025-48039.html
Resource:
related
Hyperlink: https://osv.dev/vulnerability/EEF-CVE-2025-48039
Resource:
related
Hyperlink: https://www.erlang.org/doc/system/versions.html#order-of-versions
Resource:
x_version-scheme
Hyperlink: https://github.com/erlang/otp/pull/10155
Resource:
patch
Hyperlink: https://github.com/erlang/otp/commit/c242e6458967e9514bea351814151695807a54ac
Resource:
patch
Hyperlink: https://github.com/erlang/otp/commit/043ee3c943e2977c1acdd740ad13992fd60b6bf0
Resource:
patch
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found