{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-30211", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-03-18T18:15:13.850Z", "datePublished": "2025-03-28T14:55:47.778Z", "dateUpdated": "2025-11-03T19:46:46.745Z"}, "containers": {"cna": {"title": "KEX init error results with excessive memory usage", "problemTypes": [{"descriptions": [{"cweId": "CWE-789", "lang": "en", "description": "CWE-789: Memory Allocation with Excessive Size Value", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/erlang/otp/security/advisories/GHSA-vvr3-fjhh-cfwc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/erlang/otp/security/advisories/GHSA-vvr3-fjhh-cfwc"}], "affected": [{"vendor": "erlang", "product": "otp", "versions": [{"version": "< OTP-27.3.1", "status": "affected"}, {"version": "< OTP-26.2.5.10", "status": "affected"}, {"version": "< OTP-25.3.2.19", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-03-28T14:55:47.778Z"}, "descriptions": [{"lang": "en", "value": "Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a maliciously formed KEX init message can result with high memory usage. Implementation does not verify RFC specified limits on algorithm names (64 characters) provided in KEX init message. Big KEX init packet may lead to inefficient processing of the error data. As a result, large amount of memory will be allocated for processing malicious data. Versions OTP-27.3.1, OTP-26.2.5.10, and OTP-25.3.2.19 fix the issue. Some workarounds are available. One may set option `parallel_login` to `false` and/or reduce the `max_sessions` option."}], "source": {"advisory": "GHSA-vvr3-fjhh-cfwc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-28T15:10:23.043937Z", "id": "CVE-2025-30211", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-28T15:10:37.128Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00028.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T19:46:46.745Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00028.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T19:46:46.745Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-30211", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-28T15:10:23.043937Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-28T15:10:26.011Z"}}], "cna": {"title": "KEX init error results with excessive memory usage", "source": {"advisory": "GHSA-vvr3-fjhh-cfwc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "erlang", "product": "otp", "versions": [{"status": "affected", "version": "< OTP-27.3.1"}, {"status": "affected", "version": "< OTP-26.2.5.10"}, {"status": "affected", "version": "< OTP-25.3.2.19"}]}], "references": [{"url": "https://github.com/erlang/otp/security/advisories/GHSA-vvr3-fjhh-cfwc", "name": "https://github.com/erlang/otp/security/advisories/GHSA-vvr3-fjhh-cfwc", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a maliciously formed KEX init message can result with high memory usage. Implementation does not verify RFC specified limits on algorithm names (64 characters) provided in KEX init message. Big KEX init packet may lead to inefficient processing of the error data. As a result, large amount of memory will be allocated for processing malicious data. Versions OTP-27.3.1, OTP-26.2.5.10, and OTP-25.3.2.19 fix the issue. Some workarounds are available. One may set option `parallel_login` to `false` and/or reduce the `max_sessions` option."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-789", "description": "CWE-789: Memory Allocation with Excessive Size Value"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-03-28T14:55:47.778Z"}}}, "cveMetadata": {"cveId": "CVE-2025-30211", "state": "PUBLISHED", "dateUpdated": "2025-11-03T19:46:46.745Z", "dateReserved": "2025-03-18T18:15:13.850Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-03-28T14:55:47.778Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a maliciously formed KEX init message can result with high memory usage. Implementation does not verify RFC specified limits on algorithm names (64 characters) provided in KEX init message. Big KEX init packet may lead to inefficient processing of the error data. As a result, large amount of memory will be allocated for processing malicious data. Versions OTP-27.3.1, OTP-26.2.5.10, and OTP-25.3.2.19 fix the issue. Some workarounds are available. One may set option `parallel_login` to `false` and/or reduce the `max_sessions` option."}, {"lang": "es", "value": "Erlang/OTP es un conjunto de librer\u00edas para el lenguaje de programaci\u00f3n Erlang. En versiones anteriores a OTP-27.3.1, 26.2.5.10 y 25.3.2.19, un mensaje de inicio de KEX malintencionado pod\u00eda generar un alto consumo de memoria. La implementaci\u00f3n no verifica los l\u00edmites especificados por RFC para los nombres de algoritmos (64 caracteres) proporcionados en el mensaje de inicio de KEX. Un paquete de inicio de KEX de gran tama\u00f1o puede provocar un procesamiento ineficiente de los datos de error. Como resultado, se asignar\u00e1 una gran cantidad de memoria para procesar datos maliciosos. Las versiones OTP-27.3.1, OTP-26.2.5.10 y OTP-25.3.2.19 solucionan este problema. Existen algunos workarounds. Se puede establecer la opci\u00f3n `parallel_login` en `false` o reducir el valor de la opci\u00f3n `max_sessions`."}], "id": "CVE-2025-30211", "lastModified": "2025-11-03T20:18:09.843", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-03-28T15:15:50.863", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/erlang/otp/security/advisories/GHSA-vvr3-fjhh-cfwc"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00028.html"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-789"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "erlang: KEX init error results with excessive memory usage", "id": "2355785", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2355785"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-789", "details": ["Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a maliciously formed KEX init message can result with high memory usage. Implementation does not verify RFC specified limits on algorithm names (64 characters) provided in KEX init message. Big KEX init packet may lead to inefficient processing of the error data. As a result, large amount of memory will be allocated for processing malicious data. Versions OTP-27.3.1, OTP-26.2.5.10, and OTP-25.3.2.19 fix the issue. Some workarounds are available. One may set option `parallel_login` to `false` and/or reduce the `max_sessions` option.", "A flaw was found in Erlang/OTP. This vulnerability allows an attacker to cause high memory consumption via a maliciously crafted KEX init message that exceeds RFC-specified limits on algorithm names."], "name": "CVE-2025-30211", "package_state": [{"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Not affected", "package_name": "erlang", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Not affected", "package_name": "erlang", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Not affected", "package_name": "erlang", "product_name": "Red Hat OpenStack Platform 18.0"}], "public_date": "2025-03-28T14:55:47Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-30211\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-30211\nhttps://github.com/erlang/otp/security/advisories/GHSA-vvr3-fjhh-cfwc"], "statement": "This vulnerability is rated as an Important severity because a maliciously crafted KEX init message can cause excessive memory usage by bypassing RFC limits on algorithm names. This leads to inefficient processing and high memory allocation, potentially impacting system performance and availability.", "threat_severity": "Important"}

{"created": "2025-07-12T15:26:05.971174+00:00", "updated": "2025-07-12T15:26:05.971255+00:00", "vendors": ["erlang", "erlang$PRODUCT$otp"]}