EEF-CVE-2025-48040

See a problem?
Please try reporting it to the source first.

Source

https://cna.erlef.org/osv/EEF-CVE-2025-48040.html

Import Source

https://cna.erlef.org/osv/EEF-CVE-2025-48040.json

JSON Data

https://api.osv.dev/v1/vulns/EEF-CVE-2025-48040

Aliases

CVE-2025-48040
GHSA-h7rg-6rjg-4cph

Published

2025-09-11T08:14:19.671Z

Modified

2025-11-03T00:12:38.929633Z

Severity

6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator

Summary

Malicious Key Exchange Messages may Lead to Excessive Resource Consumption

Details

Uncontrolled Resource Consumption vulnerability in Erlang OTP ssh (sshsftp modules) allows Excessive Allocation, Flooding. This vulnerability is associated with program files lib/ssh/src/sshsftpd.erl.

This issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.

Database specific

{
    "cpe_ids": [
        "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
    ],
    "cwe_ids": [
        "CWE-400",
        "CWE-770"
    ],
    "capec_ids": [
        "CAPEC-130",
        "CAPEC-125"
    ]
}

References

Credits

- Jakub Witczak - REMEDIATION_DEVELOPER
- Ingela Andin - REMEDIATION_REVIEWER

Affected packages

Git / github.com/erlang/otp

Affected ranges

Type: GIT
Repo: https://github.com/erlang/otp
Events: Introduced

07b8f441ca711f9812fad9e9115bab3c3aa92f79

Fixed

7cd7abb7e19e16b027eaee6a54e1f6fbbe21181a

Fixed

548f1295d86d0803da884db8685cc16d461d0d5a

Affected versions

OTP-17.*

OTP-17.0

OTP-17.0.1

OTP-17.0.2

OTP-17.1

OTP-17.1.1

OTP-17.1.2

OTP-17.2

OTP-17.2.1

OTP-17.2.2

OTP-17.3

OTP-17.3.1

OTP-17.3.2

OTP-17.3.3

OTP-17.3.4

OTP-17.4

OTP-17.4.1

OTP-17.5

OTP-17.5.1

OTP-17.5.2

OTP-17.5.3

OTP-17.5.4

OTP-17.5.5

OTP-17.5.6

OTP-17.5.6.1

OTP-17.5.6.10

OTP-17.5.6.2

OTP-17.5.6.3

OTP-17.5.6.4

OTP-17.5.6.5

OTP-17.5.6.6

OTP-17.5.6.7

OTP-17.5.6.8

OTP-17.5.6.9

OTP-18.*

OTP-18.0

OTP-18.0-rc1

OTP-18.0-rc2

OTP-18.0.1

OTP-18.0.2

OTP-18.0.3

OTP-18.1

OTP-18.1.1

OTP-18.1.2

OTP-18.1.3

OTP-18.1.4

OTP-18.1.5

OTP-18.2

OTP-18.2.1

OTP-18.2.2

OTP-18.2.3

OTP-18.2.4

OTP-18.2.4.0.1

OTP-18.2.4.1

OTP-18.3

OTP-18.3.1

OTP-18.3.2

OTP-18.3.3

OTP-18.3.4

OTP-18.3.4.1

OTP-18.3.4.1.1

OTP-18.3.4.10

OTP-18.3.4.11

OTP-18.3.4.2

OTP-18.3.4.3

OTP-18.3.4.4

OTP-18.3.4.5

OTP-18.3.4.6

OTP-18.3.4.7

OTP-18.3.4.8

OTP-18.3.4.9

OTP-19.*

OTP-19.0

OTP-19.0-rc1

OTP-19.0-rc2

OTP-19.0.1

OTP-19.0.2

OTP-19.0.3

OTP-19.0.4

OTP-19.0.5

OTP-19.0.6

OTP-19.0.7

OTP-19.1

OTP-19.1.1

OTP-19.1.2

OTP-19.1.3

OTP-19.1.4

OTP-19.1.5

OTP-19.1.6

OTP-19.1.6.1

OTP-19.2

OTP-19.2.1

OTP-19.2.2

OTP-19.2.3

OTP-19.2.3.1

OTP-19.3

OTP-19.3.1

OTP-19.3.2

OTP-19.3.3

OTP-19.3.4

OTP-19.3.5

OTP-19.3.6

OTP-19.3.6.1

OTP-19.3.6.10

OTP-19.3.6.11

OTP-19.3.6.12

OTP-19.3.6.13

OTP-19.3.6.2

OTP-19.3.6.3

OTP-19.3.6.4

OTP-19.3.6.5

OTP-19.3.6.6

OTP-19.3.6.7

OTP-19.3.6.8

OTP-19.3.6.9

OTP-20.*

OTP-20.0

OTP-20.0-rc1

OTP-20.0-rc2

OTP-20.0.1

OTP-20.0.2

OTP-20.0.3

OTP-20.0.4

OTP-20.0.5

OTP-20.1

OTP-20.1.1

OTP-20.1.2

OTP-20.1.3

OTP-20.1.4

OTP-20.1.5

OTP-20.1.6

OTP-20.1.7

OTP-20.1.7.1

OTP-20.2

OTP-20.2.0.1

OTP-20.2.1

OTP-20.2.2

OTP-20.2.3

OTP-20.2.4

OTP-20.3

OTP-20.3.1

OTP-20.3.2

OTP-20.3.2.1

OTP-20.3.3

OTP-20.3.4

OTP-20.3.5

OTP-20.3.6

OTP-20.3.7

OTP-20.3.8

OTP-20.3.8.1

OTP-20.3.8.10

OTP-20.3.8.11

OTP-20.3.8.12

OTP-20.3.8.13

OTP-20.3.8.14

OTP-20.3.8.15

OTP-20.3.8.16

OTP-20.3.8.17

OTP-20.3.8.18

OTP-20.3.8.19

OTP-20.3.8.2

OTP-20.3.8.20

OTP-20.3.8.21

OTP-20.3.8.22

OTP-20.3.8.23

OTP-20.3.8.24

OTP-20.3.8.25

OTP-20.3.8.26

OTP-20.3.8.3

OTP-20.3.8.4

OTP-20.3.8.5

OTP-20.3.8.6

OTP-20.3.8.7

OTP-20.3.8.8

OTP-20.3.8.9

OTP-21.*

OTP-21.0

OTP-21.0-rc1

OTP-21.0-rc2

OTP-21.0.1

OTP-21.0.2

OTP-21.0.3

OTP-21.0.4

OTP-21.0.5

OTP-21.0.6

OTP-21.0.7

OTP-21.0.8

OTP-21.0.9

OTP-21.1

OTP-21.1.1

OTP-21.1.2

OTP-21.1.3

OTP-21.1.4

OTP-21.2

OTP-21.2.1

OTP-21.2.2

OTP-21.2.3

OTP-21.2.4

OTP-21.2.5

OTP-21.2.6

OTP-21.2.7

OTP-21.3

OTP-21.3.1

OTP-21.3.2

OTP-21.3.3

OTP-21.3.4

OTP-21.3.5

OTP-21.3.6

OTP-21.3.7

OTP-21.3.7.1

OTP-21.3.8

OTP-21.3.8.1

OTP-21.3.8.10

OTP-21.3.8.11

OTP-21.3.8.12

OTP-21.3.8.13

OTP-21.3.8.14

OTP-21.3.8.15

OTP-21.3.8.16

OTP-21.3.8.17

OTP-21.3.8.18

OTP-21.3.8.19

OTP-21.3.8.2

OTP-21.3.8.20

OTP-21.3.8.21

OTP-21.3.8.22

OTP-21.3.8.23

OTP-21.3.8.24

OTP-21.3.8.3

OTP-21.3.8.4

OTP-21.3.8.5

OTP-21.3.8.6

OTP-21.3.8.7

OTP-21.3.8.8

OTP-21.3.8.9

OTP-22.*

OTP-22.0

OTP-22.0-rc1

OTP-22.0-rc2

OTP-22.0-rc3

OTP-22.0.1

OTP-22.0.2

OTP-22.0.3

OTP-22.0.4

OTP-22.0.5

OTP-22.0.6

OTP-22.0.7

OTP-22.1

OTP-22.1.1

OTP-22.1.2

OTP-22.1.3

OTP-22.1.4

OTP-22.1.5

OTP-22.1.6

OTP-22.1.7

OTP-22.1.8

OTP-22.1.8.1

OTP-22.2

OTP-22.2.1

OTP-22.2.2

OTP-22.2.3

OTP-22.2.4

OTP-22.2.5

OTP-22.2.6

OTP-22.2.7

OTP-22.2.8

OTP-22.3

OTP-22.3.1

OTP-22.3.2

OTP-22.3.3

OTP-22.3.4

OTP-22.3.4.1

OTP-22.3.4.10

OTP-22.3.4.11

OTP-22.3.4.12

OTP-22.3.4.12.1

OTP-22.3.4.13

OTP-22.3.4.14

OTP-22.3.4.15

OTP-22.3.4.16

OTP-22.3.4.17

OTP-22.3.4.18

OTP-22.3.4.19

OTP-22.3.4.2

OTP-22.3.4.20

OTP-22.3.4.21

OTP-22.3.4.22

OTP-22.3.4.23

OTP-22.3.4.24

OTP-22.3.4.25

OTP-22.3.4.26

OTP-22.3.4.27

OTP-22.3.4.3

OTP-22.3.4.4

OTP-22.3.4.5

OTP-22.3.4.6

OTP-22.3.4.7

OTP-22.3.4.8

OTP-22.3.4.9

OTP-23.*

OTP-23.0

OTP-23.0-rc1

OTP-23.0-rc2

OTP-23.0-rc3

OTP-23.0.1

OTP-23.0.2

OTP-23.0.3

OTP-23.0.4

OTP-23.1

OTP-23.1.1

OTP-23.1.2

OTP-23.1.3

OTP-23.1.4

OTP-23.1.4.1

OTP-23.1.5

OTP-23.2

OTP-23.2.1

OTP-23.2.2

OTP-23.2.3

OTP-23.2.4

OTP-23.2.5

OTP-23.2.6

OTP-23.2.7

OTP-23.2.7.1

OTP-23.2.7.2

OTP-23.2.7.3

OTP-23.2.7.4

OTP-23.2.7.5

OTP-23.3

OTP-23.3.1

OTP-23.3.2

OTP-23.3.3

OTP-23.3.4

OTP-23.3.4.1

OTP-23.3.4.10

OTP-23.3.4.11

OTP-23.3.4.12

OTP-23.3.4.13

OTP-23.3.4.14

OTP-23.3.4.15

OTP-23.3.4.16

OTP-23.3.4.17

OTP-23.3.4.18

OTP-23.3.4.19

OTP-23.3.4.2

OTP-23.3.4.20

OTP-23.3.4.3

OTP-23.3.4.4

OTP-23.3.4.5

OTP-23.3.4.6

OTP-23.3.4.7

OTP-23.3.4.8

OTP-23.3.4.9

OTP-24.*

OTP-24.0

OTP-24.0-rc1

OTP-24.0-rc2

OTP-24.0-rc3

OTP-24.0.1

OTP-24.0.2

OTP-24.0.3

OTP-24.0.4

OTP-24.0.5

OTP-24.0.6

OTP-24.1

OTP-24.1.1

OTP-24.1.2

OTP-24.1.3

OTP-24.1.4

OTP-24.1.5

OTP-24.1.6

OTP-24.1.7

OTP-24.2

OTP-24.2.1

OTP-24.2.2

OTP-24.3

OTP-24.3.1

OTP-24.3.2

OTP-24.3.3

OTP-24.3.4

OTP-24.3.4.1

OTP-24.3.4.10

OTP-24.3.4.11

OTP-24.3.4.12

OTP-24.3.4.13

OTP-24.3.4.14

OTP-24.3.4.15

OTP-24.3.4.16

OTP-24.3.4.17

OTP-24.3.4.2

OTP-24.3.4.3

OTP-24.3.4.4

OTP-24.3.4.5

OTP-24.3.4.6

OTP-24.3.4.7

OTP-24.3.4.8

OTP-24.3.4.9

OTP-25.*

OTP-25.0

OTP-25.0-rc1

OTP-25.0-rc2

OTP-25.0-rc3

OTP-25.0.1

OTP-25.0.2

OTP-25.0.3

OTP-25.0.4

OTP-25.1

OTP-25.1.1

OTP-25.1.2

OTP-25.1.2.1

OTP-25.2

OTP-25.2.1

OTP-25.2.2

OTP-25.2.3

OTP-25.3

OTP-25.3.1

OTP-25.3.2

OTP-25.3.2.1

OTP-25.3.2.10

OTP-25.3.2.11

OTP-25.3.2.12

OTP-25.3.2.13

OTP-25.3.2.14

OTP-25.3.2.15

OTP-25.3.2.16

OTP-25.3.2.17

OTP-25.3.2.18

OTP-25.3.2.2

OTP-25.3.2.3

OTP-25.3.2.4

OTP-25.3.2.5

OTP-25.3.2.6

OTP-25.3.2.7

OTP-25.3.2.8

OTP-25.3.2.9

OTP-26.*

OTP-26.0

OTP-26.0-rc1

OTP-26.0-rc2

OTP-26.0-rc3

OTP-26.0.1

OTP-26.0.2

OTP-26.1

OTP-26.1.1

OTP-26.1.2

OTP-26.2

OTP-26.2.1

OTP-26.2.2

OTP-26.2.3

OTP-26.2.4

OTP-26.2.5

OTP-26.2.5.1

OTP-26.2.5.10

OTP-26.2.5.11

OTP-26.2.5.12

OTP-26.2.5.13

OTP-26.2.5.14

OTP-26.2.5.2

OTP-26.2.5.3

OTP-26.2.5.4

OTP-26.2.5.5

OTP-26.2.5.6

OTP-26.2.5.7

OTP-26.2.5.8

OTP-26.2.5.9

OTP-27.*

OTP-27.0

OTP-27.0-rc1

OTP-27.0-rc2

OTP-27.0-rc3

OTP-27.0.1

OTP-27.1

OTP-27.1.1

OTP-27.1.2

OTP-27.1.3

OTP-27.2

OTP-27.2.1

OTP-27.2.2

OTP-27.2.3

OTP-27.2.4

OTP-27.3

OTP-27.3.1

OTP-27.3.2

OTP-27.3.3

OTP-27.3.4

Other

patch-base-24

patch-base-25

patch-base-26

patch-base-27