{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-30211", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-03-18T18:15:13.850Z", "datePublished": "2025-03-28T14:55:47.778Z", "dateUpdated": "2025-03-28T15:10:37.128Z"}, "containers": {"cna": {"title": "KEX init error results with excessive memory usage", "problemTypes": [{"descriptions": [{"cweId": "CWE-789", "lang": "en", "description": "CWE-789: Memory Allocation with Excessive Size Value", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/erlang/otp/security/advisories/GHSA-vvr3-fjhh-cfwc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/erlang/otp/security/advisories/GHSA-vvr3-fjhh-cfwc"}], "affected": [{"vendor": "erlang", "product": "otp", "versions": [{"version": "< OTP-27.3.1", "status": "affected"}, {"version": "< OTP-26.2.5.10", "status": "affected"}, {"version": "< OTP-25.3.2.19", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-03-28T14:55:47.778Z"}, "descriptions": [{"lang": "en", "value": "Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a maliciously formed KEX init message can result with high memory usage. Implementation does not verify RFC specified limits on algorithm names (64 characters) provided in KEX init message. Big KEX init packet may lead to inefficient processing of the error data. As a result, large amount of memory will be allocated for processing malicious data. Versions OTP-27.3.1, OTP-26.2.5.10, and OTP-25.3.2.19 fix the issue. Some workarounds are available. One may set option `parallel_login` to `false` and/or reduce the `max_sessions` option."}], "source": {"advisory": "GHSA-vvr3-fjhh-cfwc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-28T15:10:23.043937Z", "id": "CVE-2025-30211", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-28T15:10:37.128Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-30211", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-28T15:10:23.043937Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-28T15:10:26.011Z"}}], "cna": {"title": "KEX init error results with excessive memory usage", "source": {"advisory": "GHSA-vvr3-fjhh-cfwc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "erlang", "product": "otp", "versions": [{"status": "affected", "version": "< OTP-27.3.1"}, {"status": "affected", "version": "< OTP-26.2.5.10"}, {"status": "affected", "version": "< OTP-25.3.2.19"}]}], "references": [{"url": "https://github.com/erlang/otp/security/advisories/GHSA-vvr3-fjhh-cfwc", "name": "https://github.com/erlang/otp/security/advisories/GHSA-vvr3-fjhh-cfwc", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a maliciously formed KEX init message can result with high memory usage. Implementation does not verify RFC specified limits on algorithm names (64 characters) provided in KEX init message. Big KEX init packet may lead to inefficient processing of the error data. As a result, large amount of memory will be allocated for processing malicious data. Versions OTP-27.3.1, OTP-26.2.5.10, and OTP-25.3.2.19 fix the issue. Some workarounds are available. One may set option `parallel_login` to `false` and/or reduce the `max_sessions` option."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-789", "description": "CWE-789: Memory Allocation with Excessive Size Value"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-03-28T14:55:47.778Z"}}}, "cveMetadata": {"cveId": "CVE-2025-30211", "state": "PUBLISHED", "dateUpdated": "2025-03-28T15:10:37.128Z", "dateReserved": "2025-03-18T18:15:13.850Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-03-28T14:55:47.778Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a maliciously formed KEX init message can result with high memory usage. Implementation does not verify RFC specified limits on algorithm names (64 characters) provided in KEX init message. Big KEX init packet may lead to inefficient processing of the error data. As a result, large amount of memory will be allocated for processing malicious data. Versions OTP-27.3.1, OTP-26.2.5.10, and OTP-25.3.2.19 fix the issue. Some workarounds are available. One may set option `parallel_login` to `false` and/or reduce the `max_sessions` option."}], "id": "CVE-2025-30211", "lastModified": "2025-03-28T18:11:40.180", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-03-28T15:15:50.863", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/erlang/otp/security/advisories/GHSA-vvr3-fjhh-cfwc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-789"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "erlang: KEX init error results with excessive memory usage", "id": "2355785", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2355785"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-789", "details": ["Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a maliciously formed KEX init message can result with high memory usage. Implementation does not verify RFC specified limits on algorithm names (64 characters) provided in KEX init message. Big KEX init packet may lead to inefficient processing of the error data. As a result, large amount of memory will be allocated for processing malicious data. Versions OTP-27.3.1, OTP-26.2.5.10, and OTP-25.3.2.19 fix the issue. Some workarounds are available. One may set option `parallel_login` to `false` and/or reduce the `max_sessions` option.", "A flaw was found in Erlang/OTP. This vulnerability allows an attacker to cause high memory consumption via a maliciously crafted KEX init message that exceeds RFC-specified limits on algorithm names."], "name": "CVE-2025-30211", "package_state": [{"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Not affected", "package_name": "erlang", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Not affected", "package_name": "erlang", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Not affected", "package_name": "erlang", "product_name": "Red Hat OpenStack Platform 18.0"}], "public_date": "2025-03-28T14:55:47Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-30211\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-30211\nhttps://github.com/erlang/otp/security/advisories/GHSA-vvr3-fjhh-cfwc"], "statement": "This vulnerability is rated as an Important severity because a maliciously crafted KEX init message can cause excessive memory usage by bypassing RFC limits on algorithm names. This leads to inefficient processing and high memory allocation, potentially impacting system performance and availability.", "threat_severity": "Important"}

{"created": "2025-07-12T15:26:05.971174+00:00", "updated": "2025-07-12T15:26:05.971255+00:00", "vendors": ["erlang", "erlang$PRODUCT$otp"]}