Description
Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl.

This issue affects OTP from OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.
Published: 2025-09-11
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from uncontrolled allocation of system resources within the Erlang OTP SSH/SFTP subsystem, specifically in the lib/ssh/src/ssh_sftpd.erl module. When the system processes SFTP requests, it can allocate memory, file descriptors, or other resources without limits, leading to an excessive or leaking usage pattern. This flaw can ultimately cause service degradation or complete denial of service for users depending on the affected SSH/SFTP service.

Affected Systems

It impacts Erlang:OTP releases from 17.0 through at least 28.0.3, including sub‑releases 27.3.4.3 and 26.2.5.15. Correspondingly, the SSH module versions affected span from 3.0.1 up to 5.3.3, 5.2.11.3, and 5.1.4.12, as stated in the official description.

Risk and Exploitability

With a CVSS score of 5.3, the vulnerability is classified as medium severity. The EPSS score is below 1% and the vulnerability is not listed in the CISA KEV catalog, indicating a low probability of current exploitation. Based on the description, it is inferred that the attack vector would be remote through the SFTP interface, where an attacker could flood the daemon with many concurrent connections or large file transfers to trigger the resource leak. The vendor’s recommended interim measures include disabling SFTP in the SSH configuration or limiting the maximum number of concurrent SSH sessions, which would make exploitation more difficult.

Generated by OpenCVE AI on June 5, 2026 at 14:20 UTC.

Remediation

Vendor Workaround

* Disable sftp * limiting number of max_sessions allowed for sshd, so exploiting becomes more complicated

OpenCVE Recommended Actions

  • Disable the SFTP subsystem in the SSH daemon configuration to prevent the vulnerable code from being executed.
  • Configure the SSH daemon to limit MaxSessions to a small number (e.g., MaxSessions 5) to restrict the number of concurrent connections that can trigger the leak.
  • Monitor SSH/SFTP related resource usage and set alerts for abnormal memory or file‑descriptor consumption to detect potential ongoing attacks.

Generated by OpenCVE AI on June 5, 2026 at 14:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4376-1 erlang security update
EUVD EUVD EUVD-2025-27678 Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.
History

Fri, 05 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12. Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP from OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
References

Fri, 12 Sep 2025 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Erlang otp
Vendors & Products Erlang otp

Fri, 12 Sep 2025 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

threat_severity

Moderate

Thu, 11 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Sep 2025 08:30:00 +0000

Type Values Removed Values Added
Description Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.
Title Unverified Paths can Cause Excessive Use of System Resources
First Time appeared Erlang
Erlang erlang\/otp
Weaknesses CWE-400
CWE-770
CPEs cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Vendors & Products Erlang
Erlang erlang\/otp
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Erlang Erlang\/otp Otp
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-06-05T11:58:56.396Z

Reserved: 2025-05-15T08:36:04.576Z

Link: CVE-2025-48039

cve-icon Vulnrichment

Updated: 2025-09-11T13:30:47.914Z

cve-icon NVD

Status : Deferred

Published: 2025-09-11T09:15:34.180

Modified: 2026-06-17T09:29:02.950

Link: CVE-2025-48039

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-09-11T08:13:36Z

Links: CVE-2025-48039 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T14:30:27Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption

  • CWE-770

    Allocation of Resources Without Limits or Throttling