Description
Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl.

This issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.
Published: 2025-09-11
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via resource exhaustion
Action: Apply Workaround
AI Analysis

Impact

The vulnerability resides in the SSH/SFTP component of Erlang OTP where unverified paths allow the system to allocate resources without any limits or throttling. Attackers can exploit this by initiating excessive file transfer sessions, resulting in uncontrolled consumption of memory, file descriptors, or other critical resources, which may culminate in a denial of service. The weakness is described by CWE-400 and CWE-770, indicating uncontrolled resource consumption and insufficient resource limits.

Affected Systems

The flaw affects Erlang:OTP releases from 17.0 through 28.0.3, including specific sub‑releases 27.3.4.3 and 26.2.5.15. The impacted SSH module versions span from 3.0.1 to 5.3.3, 5.2.11.3, and 5.1.4.12, as detailed in the CVE description.

Risk and Exploitability

With a CVSS score of 5.3, the vulnerability presents a medium severity. The EPSS score is below 1% and the flaw is not listed in the CISA KEV catalog, suggesting a low current exploitation probability. The likely attack vector is remote via the SFTP subsystem, where an attacker can create many concurrent connections to trigger the resource leak. The vendor’s recommended interim measures include disabling SFTP support or limiting the maximum number of concurrent SSH sessions to reduce the exploitation surface.

Generated by OpenCVE AI on April 28, 2026 at 00:23 UTC.

Remediation

Vendor Workaround

* Disable sftp * limiting number of max_sessions allowed for sshd, so exploiting becomes more complicated

OpenCVE Recommended Actions

  • Upgrade Erlang OTP to a version that contains the official fix for the SSH/SFTP resource exhaustion issue.
  • Disable the SFTP subsystem in the SSH daemon configuration to prevent the vulnerable code from being invoked.
  • Configure the SSH daemon to limit MaxSessions to a small number (for example, MaxSessions 5) to restrict the number of concurrent connections.

Generated by OpenCVE AI on April 28, 2026 at 00:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4376-1 erlang security update
EUVD EUVD EUVD-2025-27678 Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.
History

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
References

Fri, 12 Sep 2025 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Erlang otp
Vendors & Products Erlang otp

Fri, 12 Sep 2025 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

threat_severity

Moderate

Thu, 11 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Sep 2025 08:30:00 +0000

Type Values Removed Values Added
Description Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.
Title Unverified Paths can Cause Excessive Use of System Resources
First Time appeared Erlang
Erlang erlang\/otp
Weaknesses CWE-400
CWE-770
CPEs cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Vendors & Products Erlang
Erlang erlang\/otp
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Erlang Erlang\/otp Otp
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-04-07T14:38:01.049Z

Reserved: 2025-05-15T08:36:04.576Z

Link: CVE-2025-48039

cve-icon Vulnrichment

Updated: 2025-09-11T13:30:47.914Z

cve-icon NVD

Status : Deferred

Published: 2025-09-11T09:15:34.180

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-48039

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-09-11T08:13:36Z

Links: CVE-2025-48039 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T00:30:15Z

Weaknesses