CVE-2025-48039

Source
https://cve.org/CVERecord?id=CVE-2025-48039
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-48039.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-48039
Aliases
Downstream
Related
Published
2025-09-11T08:13:36.878Z
Modified
2026-07-15T01:48:55.840199115Z
Severity
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
Unverified Paths can Cause Excessive Use of System Resources
Details

Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (sshsftp modules) allows Excessive Allocation, Resource Leak Exposure. This vulnerability is associated with program files lib/ssh/src/sshsftpd.erl.

This issue affects OTP from OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.

Database specific
{
    "cna_assigner": "EEF",
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "3.0.1"
                },
                {
                    "fixed": "*"
                },
                {
                    "introduced": "17.0"
                },
                {
                    "fixed": "*"
                },
                {
                    "introduced": "07b8f441ca711f9812fad9e9115bab3c3aa92f79"
                },
                {
                    "fixed": "*"
                }
            ]
        }
    ],
    "cwe_ids": [
        "CWE-400",
        "CWE-770"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/48xxx/CVE-2025-48039.json"
}
References

Affected packages

Git / github.com/erlang/otp

Affected ranges

Type
GIT
Repo
https://github.com/erlang/otp
Events
Database specific
{
    "source": [
        "CPE_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "26.2.5.15"
        },
        {
            "introduced": "27.0"
        },
        {
            "fixed": "27.3.4.3"
        },
        {
            "introduced": "28.0"
        },
        {
            "fixed": "28.0.3"
        }
    ]
}

Affected versions

OTP-17.*
OTP-17.0
OTP-18.*
OTP-18.0
OTP-18.0-rc1
OTP-19.*
OTP-19.0
OTP-19.0-rc1
OTP-19.0-rc2
OTP-20.*
OTP-20.0
OTP-20.0-rc1
OTP-20.0-rc2
OTP-21.*
OTP-21.0
OTP-21.0-rc1
OTP-21.0-rc2
OTP-22.*
OTP-22.0
OTP-22.0-rc1
OTP-22.0-rc2
OTP-22.0-rc3
OTP-23.*
OTP-23.0
OTP-23.0-rc1
OTP-23.0-rc2
OTP-23.0-rc3
OTP-24.*
OTP-24.0
OTP-24.0-rc1
OTP-24.0-rc2
OTP-24.0-rc3
OTP-25.*
OTP-25.0
OTP-25.0-rc1
OTP-25.0-rc2
OTP-25.0-rc3
OTP-26.*
OTP-26.0
OTP-26.0-rc1
OTP-26.0-rc2
OTP-26.0-rc3
OTP-26.1
OTP-26.2
OTP-26.2.3
OTP-26.2.4
OTP-26.2.5
OTP-26.2.5.1
OTP-26.2.5.10
OTP-26.2.5.11
OTP-26.2.5.12
OTP-26.2.5.13
OTP-26.2.5.14
OTP-26.2.5.2
OTP-26.2.5.3
OTP-26.2.5.4
OTP-26.2.5.5
OTP-26.2.5.6
OTP-26.2.5.7
OTP-26.2.5.8
OTP-26.2.5.9
OTP-27.*
OTP-27.0
OTP-27.1
OTP-27.2
OTP-27.3
OTP-27.3.1
OTP-27.3.2
OTP-27.3.3
OTP-27.3.4
OTP-27.3.4.1
OTP-27.3.4.2
OTP-28.*
OTP-28.0
OTP-28.0.1
OTP-28.0.2
OTP_17.*
OTP_17.0-rc1
OTP_17.0-rc2
Other
OTP_R13B03
OTP_R13B04
OTP_R14A
OTP_R14B
OTP_R14B01
OTP_R14B02
OTP_R14B03
OTP_R15A
OTP_R15B
OTP_R16A_RELEASE_CANDIDATE
OTP_R16B
patch-base-26
patch-base-27

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-48039.json"