Description
Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl.

This issue affects OTP from OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.
Published: 2025-09-11
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates in the ssh_sftp module of Erlang OTP, where the allocation of file handles lacks any limits or throttling, leading to excessive allocation and resource leaks. Attackers who can initiate SFTP connections can trigger an uncontrolled growth of open file descriptors, exhausting system resources and ultimately producing a denial of service. The weakness aligns with CWE‑400 (Control of Resource Consumption) and CWE‑770 (Allocation of Resources Without Limits).

Affected Systems

This issue is present in Erlang OTP releases starting from OTP 17.0 up through OTP 28.0.3, as well as specific intermediate releases (OTP 27.3.4.3 and OTP 26.2.5.15). The vulnerability affects the ssh component versions from 3.0.1 to 5.3.3, 5.2.11.3, and 5.1.4.12. Systems running these versions of Erlang OTP are subject to the risk.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% reflects a very low current exploitation probability. The vulnerability is not listed in CISA's KEV catalog. While the description does not explicitly provide the required privilege level, it is inferred that an attacker must be able to create SFTP sessions against the vulnerable ssh service to trigger the issue. Successful exploitation could lead to a denial of service by exhausting file descriptors and other related resources.

Generated by OpenCVE AI on June 5, 2026 at 13:23 UTC.

Remediation

Vendor Workaround

* Disable sftp * limiting number of max_sessions allowed for sshd, so exploiting becomes more complicated

OpenCVE Recommended Actions

  • Upgrade Erlang OTP to the latest patched version
  • Disable the SSH SFTP subsystem if it is not required
  • Configure sshd to restrict the maximum number of concurrent session connections

Generated by OpenCVE AI on June 5, 2026 at 13:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4376-1 erlang security update
EUVD EUVD EUVD-2025-27679 Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.
History

Fri, 05 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12. Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP from OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
References

Fri, 12 Sep 2025 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

threat_severity

Moderate

Fri, 12 Sep 2025 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Erlang otp
Vendors & Products Erlang otp

Thu, 11 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Sep 2025 08:30:00 +0000

Type Values Removed Values Added
Description Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.
Title Unverified File Handles can Cause Excessive Use of System Resources
First Time appeared Erlang
Erlang erlang\/otp
Weaknesses CWE-400
CWE-770
CPEs cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Vendors & Products Erlang
Erlang erlang\/otp
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Erlang Erlang\/otp Otp
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-06-05T11:58:55.918Z

Reserved: 2025-05-15T08:36:04.576Z

Link: CVE-2025-48038

cve-icon Vulnrichment

Updated: 2025-09-11T13:30:58.973Z

cve-icon NVD

Status : Deferred

Published: 2025-09-11T09:15:33.940

Modified: 2026-06-05T13:16:33.373

Link: CVE-2025-48038

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-09-11T08:13:04Z

Links: CVE-2025-48038 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T13:30:36Z

Weaknesses