Description
Server-Side Request Forgery (SSRF) vulnerability in Erlang/OTP ftp (ftp_internal module) allows FTP bounce attacks and SSRF via an unvalidated PASV response IP address.

The ftp_internal:handle_ctrl_result/2 PASV handler (mode=passive, ipfamily=inet, ftp_extension=false) extracts the IP address from the server's 227 response and passes it directly to gen_tcp:connect/4 without validating it against the control connection peer address. The adjacent EPSV handlers correctly call peername(CSock) to derive the IP from the control connection, but the PASV handler does not. A malicious or compromised FTP server can redirect the client's data connection to an arbitrary internal host and port. On read operations (ftp:ls/1,2, ftp:nlist/1,2, ftp:recv/2,3), data from the redirected target is returned to the caller. On write operations (ftp:send/2,3, ftp:append/2,3), file content is sent to the redirected target. This enables SSRF against internal hosts, cloud metadata endpoints, and FTP bounce attacks against third-party hosts.

The vulnerable path is the default configuration (mode=passive, ipfamily=inet, ftp_extension=false). RFC 2577 section 3 explicitly recommends validating the PASV response IP against the control connection peer.

The ftp application is deprecated and scheduled for removal in OTP-30.

This vulnerability is associated with program files lib/inets/src/ftp/ftp_internal.erl (inets 5.10.4 through 6.5, OTP 17.4 through 20.3) and lib/ftp/src/ftp_internal.erl (ftp 1.0 and later, OTP 21.0 and later).

This issue affects OTP from OTP 17.4 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10.4 before 7.0 and ftp from 1.0 before 1.2.6, 1.2.4.1 and 1.2.3.1.
Published: 2026-06-10
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FTP PASV responses are accepted without validating the returned IP against the control connection, allowing attackers to redirect the data channel to arbitrary hosts. The flaw is in the default passive mode when ftp_extension is disabled. An attacker can force the client to connect to internal servers, cloud metadata services, or third‑party hosts, enabling SSRF and FTP bounce attacks.

Affected Systems

Erlang/OTP versions before 29.0.2, including OTP 28.5.0.2 and 27.3.4.13, contain the vulnerable ftp_internal module. The issue spans inets releases 5.10.4 through 6.5 and ftp releases 1.0 to 1.2.6, 1.2.4.1 and 1.2.3.1. The ftp application is deprecated and will be removed in OTP‑30, so newer OTP releases are safe.

Risk and Exploitability

The CVSS base score is 6.3, indicating moderate risk. EPSS is not available, and the vulnerability is not listed in CISA KEV. An attacker with access to an FTP server that can send a crafted 227 response can cause the client to connect to a chosen IP and port, facilitating internal reconnaissance or data exfiltration. No special authentication is required; the attack occurs during normal FTP use.

Generated by OpenCVE AI on June 10, 2026 at 17:24 UTC.

Remediation

Vendor Workaround

Pass {ftp_extension, true} to ftp:open/2 to use EPSV instead of PASV. Alternatively, pass {mode, active} to use active mode, or pass {ipfamily, inet6} to force IPv6, both of which bypass the vulnerable PASV path.

OpenCVE Recommended Actions

  • Upgrade to Erlang/OTP 29.0.2 or later, which fixes the PASV IP validation.
  • Apply the official workaround by passing {ftp_extension, true} to ftp:open/2, or use {mode, active} or {ipfamily, inet6} to avoid the vulnerable PASV path.
  • Disable or remove the deprecated ftp application if it is not needed for your deployments.

Generated by OpenCVE AI on June 10, 2026 at 17:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in Erlang/OTP ftp (ftp_internal module) allows FTP bounce attacks and SSRF via an unvalidated PASV response IP address. The ftp_internal:handle_ctrl_result/2 PASV handler (mode=passive, ipfamily=inet, ftp_extension=false) extracts the IP address from the server's 227 response and passes it directly to gen_tcp:connect/4 without validating it against the control connection peer address. The adjacent EPSV handlers correctly call peername(CSock) to derive the IP from the control connection, but the PASV handler does not. A malicious or compromised FTP server can redirect the client's data connection to an arbitrary internal host and port. On read operations (ftp:ls/1,2, ftp:nlist/1,2, ftp:recv/2,3), data from the redirected target is returned to the caller. On write operations (ftp:send/2,3, ftp:append/2,3), file content is sent to the redirected target. This enables SSRF against internal hosts, cloud metadata endpoints, and FTP bounce attacks against third-party hosts. The vulnerable path is the default configuration (mode=passive, ipfamily=inet, ftp_extension=false). RFC 2577 section 3 explicitly recommends validating the PASV response IP against the control connection peer. The ftp application is deprecated and scheduled for removal in OTP-30. This vulnerability is associated with program files lib/inets/src/ftp/ftp_internal.erl (inets 5.10.4 through 6.5, OTP 17.4 through 20.3) and lib/ftp/src/ftp_internal.erl (ftp 1.0 and later, OTP 21.0 and later). This issue affects OTP from OTP 17.4 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10.4 before 7.0 and ftp from 1.0 before 1.2.6, 1.2.4.1 and 1.2.3.1.
Title ftp client PASV response IP not validated against control peer, enabling SSRF and FTP bounce attacks
First Time appeared Erlang
Erlang erlang\/otp
Weaknesses CWE-918
CPEs cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Vendors & Products Erlang
Erlang erlang\/otp
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Erlang Erlang\/otp
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-06-10T16:21:08.893Z

Reserved: 2026-05-25T20:44:10.697Z

Link: CVE-2026-48858

cve-icon Vulnrichment

Updated: 2026-06-10T16:21:01.387Z

cve-icon NVD

Status : Received

Published: 2026-06-10T16:17:11.077

Modified: 2026-06-10T16:17:11.077

Link: CVE-2026-48858

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T17:30:36Z

Weaknesses