EEF-CVE-2025-48041

See a problem?
Please try reporting it to the source first.

Source

https://cna.erlef.org/osv/EEF-CVE-2025-48041.html

Import Source

https://cna.erlef.org/osv/EEF-CVE-2025-48041.json

JSON Data

https://api.osv.dev/v1/vulns/EEF-CVE-2025-48041

Aliases

CVE-2025-48041
GHSA-79c4-cvv7-4qm3

Published

2025-09-11T08:14:20.508Z

Modified

2025-11-03T00:12:42.353624Z

Severity

7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

SSH_FXP_OPENDIR may Lead to Exhaustion of File Handles

Details

Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (sshsftp modules) allows Excessive Allocation, Flooding. This vulnerability is associated with program files lib/ssh/src/sshsftpd.erl.

This issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.

Database specific

{
    "cpe_ids": [
        "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
    ],
    "cwe_ids": [
        "CWE-770",
        "CWE-400"
    ],
    "capec_ids": [
        "CAPEC-130",
        "CAPEC-125"
    ]
}

References

Credits

- Jakub Witczak - REMEDIATION_DEVELOPER
- Ingela Andin - REMEDIATION_REVIEWER

Affected packages

Git / github.com/erlang/otp

Affected ranges

Type: GIT
Repo: https://github.com/erlang/otp
Events: Introduced

07b8f441ca711f9812fad9e9115bab3c3aa92f79

Fixed

5f9af63eec4657a37663828d206517828cb9f288

Fixed

d49efa2d4fa9e6f7ee658719cd76ffe7a33c2401

Affected versions

OTP-17.*

OTP-17.0

OTP-17.0.1

OTP-17.0.2

OTP-17.1

OTP-17.1.1

OTP-17.1.2

OTP-17.2

OTP-17.2.1

OTP-17.2.2

OTP-17.3

OTP-17.3.1

OTP-17.3.2

OTP-17.3.3

OTP-17.3.4

OTP-17.4

OTP-17.4.1

OTP-17.5

OTP-17.5.1

OTP-17.5.2

OTP-17.5.3

OTP-17.5.4

OTP-17.5.5

OTP-17.5.6

OTP-17.5.6.1

OTP-17.5.6.10

OTP-17.5.6.2

OTP-17.5.6.3

OTP-17.5.6.4

OTP-17.5.6.5

OTP-17.5.6.6

OTP-17.5.6.7

OTP-17.5.6.8

OTP-17.5.6.9

OTP-18.*

OTP-18.0

OTP-18.0-rc1

OTP-18.0-rc2

OTP-18.0.1

OTP-18.0.2

OTP-18.0.3

OTP-18.1

OTP-18.1.1

OTP-18.1.2

OTP-18.1.3

OTP-18.1.4

OTP-18.1.5

OTP-18.2

OTP-18.2.1

OTP-18.2.2

OTP-18.2.3

OTP-18.2.4

OTP-18.2.4.0.1

OTP-18.2.4.1

OTP-18.3

OTP-18.3.1

OTP-18.3.2

OTP-18.3.3

OTP-18.3.4

OTP-18.3.4.1

OTP-18.3.4.1.1

OTP-18.3.4.10

OTP-18.3.4.11

OTP-18.3.4.2

OTP-18.3.4.3

OTP-18.3.4.4

OTP-18.3.4.5

OTP-18.3.4.6

OTP-18.3.4.7

OTP-18.3.4.8

OTP-18.3.4.9

OTP-19.*

OTP-19.0

OTP-19.0-rc1

OTP-19.0-rc2

OTP-19.0.1

OTP-19.0.2

OTP-19.0.3

OTP-19.0.4

OTP-19.0.5

OTP-19.0.6

OTP-19.0.7

OTP-19.1

OTP-19.1.1

OTP-19.1.2

OTP-19.1.3

OTP-19.1.4

OTP-19.1.5

OTP-19.1.6

OTP-19.1.6.1

OTP-19.2

OTP-19.2.1

OTP-19.2.2

OTP-19.2.3

OTP-19.2.3.1

OTP-19.3

OTP-19.3.1

OTP-19.3.2

OTP-19.3.3

OTP-19.3.4

OTP-19.3.5

OTP-19.3.6

OTP-19.3.6.1

OTP-19.3.6.10

OTP-19.3.6.11

OTP-19.3.6.12

OTP-19.3.6.13

OTP-19.3.6.2

OTP-19.3.6.3

OTP-19.3.6.4

OTP-19.3.6.5

OTP-19.3.6.6

OTP-19.3.6.7

OTP-19.3.6.8

OTP-19.3.6.9

OTP-20.*

OTP-20.0

OTP-20.0-rc1

OTP-20.0-rc2

OTP-20.0.1

OTP-20.0.2

OTP-20.0.3

OTP-20.0.4

OTP-20.0.5

OTP-20.1

OTP-20.1.1

OTP-20.1.2

OTP-20.1.3

OTP-20.1.4

OTP-20.1.5

OTP-20.1.6

OTP-20.1.7

OTP-20.1.7.1

OTP-20.2

OTP-20.2.0.1

OTP-20.2.1

OTP-20.2.2

OTP-20.2.3

OTP-20.2.4

OTP-20.3

OTP-20.3.1

OTP-20.3.2

OTP-20.3.2.1

OTP-20.3.3

OTP-20.3.4

OTP-20.3.5

OTP-20.3.6

OTP-20.3.7

OTP-20.3.8

OTP-20.3.8.1

OTP-20.3.8.10

OTP-20.3.8.11

OTP-20.3.8.12

OTP-20.3.8.13

OTP-20.3.8.14

OTP-20.3.8.15

OTP-20.3.8.16

OTP-20.3.8.17

OTP-20.3.8.18

OTP-20.3.8.19

OTP-20.3.8.2

OTP-20.3.8.20

OTP-20.3.8.21

OTP-20.3.8.22

OTP-20.3.8.23

OTP-20.3.8.24

OTP-20.3.8.25

OTP-20.3.8.26

OTP-20.3.8.3

OTP-20.3.8.4

OTP-20.3.8.5

OTP-20.3.8.6

OTP-20.3.8.7

OTP-20.3.8.8

OTP-20.3.8.9

OTP-21.*

OTP-21.0

OTP-21.0-rc1

OTP-21.0-rc2

OTP-21.0.1

OTP-21.0.2

OTP-21.0.3

OTP-21.0.4

OTP-21.0.5

OTP-21.0.6

OTP-21.0.7

OTP-21.0.8

OTP-21.0.9

OTP-21.1

OTP-21.1.1

OTP-21.1.2

OTP-21.1.3

OTP-21.1.4

OTP-21.2

OTP-21.2.1

OTP-21.2.2

OTP-21.2.3

OTP-21.2.4

OTP-21.2.5

OTP-21.2.6

OTP-21.2.7

OTP-21.3

OTP-21.3.1

OTP-21.3.2

OTP-21.3.3

OTP-21.3.4

OTP-21.3.5

OTP-21.3.6

OTP-21.3.7

OTP-21.3.7.1

OTP-21.3.8

OTP-21.3.8.1

OTP-21.3.8.10

OTP-21.3.8.11

OTP-21.3.8.12

OTP-21.3.8.13

OTP-21.3.8.14

OTP-21.3.8.15

OTP-21.3.8.16

OTP-21.3.8.17

OTP-21.3.8.18

OTP-21.3.8.19

OTP-21.3.8.2

OTP-21.3.8.20

OTP-21.3.8.21

OTP-21.3.8.22

OTP-21.3.8.23

OTP-21.3.8.24

OTP-21.3.8.3

OTP-21.3.8.4

OTP-21.3.8.5

OTP-21.3.8.6

OTP-21.3.8.7

OTP-21.3.8.8

OTP-21.3.8.9

OTP-22.*

OTP-22.0

OTP-22.0-rc1

OTP-22.0-rc2

OTP-22.0-rc3

OTP-22.0.1

OTP-22.0.2

OTP-22.0.3

OTP-22.0.4

OTP-22.0.5

OTP-22.0.6

OTP-22.0.7

OTP-22.1

OTP-22.1.1

OTP-22.1.2

OTP-22.1.3

OTP-22.1.4

OTP-22.1.5

OTP-22.1.6

OTP-22.1.7

OTP-22.1.8

OTP-22.1.8.1

OTP-22.2

OTP-22.2.1

OTP-22.2.2

OTP-22.2.3

OTP-22.2.4

OTP-22.2.5

OTP-22.2.6

OTP-22.2.7

OTP-22.2.8

OTP-22.3

OTP-22.3.1

OTP-22.3.2

OTP-22.3.3

OTP-22.3.4

OTP-22.3.4.1

OTP-22.3.4.10

OTP-22.3.4.11

OTP-22.3.4.12

OTP-22.3.4.12.1

OTP-22.3.4.13

OTP-22.3.4.14

OTP-22.3.4.15

OTP-22.3.4.16

OTP-22.3.4.17

OTP-22.3.4.18

OTP-22.3.4.19

OTP-22.3.4.2

OTP-22.3.4.20

OTP-22.3.4.21

OTP-22.3.4.22

OTP-22.3.4.23

OTP-22.3.4.24

OTP-22.3.4.25

OTP-22.3.4.26

OTP-22.3.4.27

OTP-22.3.4.3

OTP-22.3.4.4

OTP-22.3.4.5

OTP-22.3.4.6

OTP-22.3.4.7

OTP-22.3.4.8

OTP-22.3.4.9

OTP-23.*

OTP-23.0

OTP-23.0-rc1

OTP-23.0-rc2

OTP-23.0-rc3

OTP-23.0.1

OTP-23.0.2

OTP-23.0.3

OTP-23.0.4

OTP-23.1

OTP-23.1.1

OTP-23.1.2

OTP-23.1.3

OTP-23.1.4

OTP-23.1.4.1

OTP-23.1.5

OTP-23.2

OTP-23.2.1

OTP-23.2.2

OTP-23.2.3

OTP-23.2.4

OTP-23.2.5

OTP-23.2.6

OTP-23.2.7

OTP-23.2.7.1

OTP-23.2.7.2

OTP-23.2.7.3

OTP-23.2.7.4

OTP-23.2.7.5

OTP-23.3

OTP-23.3.1

OTP-23.3.2

OTP-23.3.3

OTP-23.3.4

OTP-23.3.4.1

OTP-23.3.4.10

OTP-23.3.4.11

OTP-23.3.4.12

OTP-23.3.4.13

OTP-23.3.4.14

OTP-23.3.4.15

OTP-23.3.4.16

OTP-23.3.4.17

OTP-23.3.4.18

OTP-23.3.4.19

OTP-23.3.4.2

OTP-23.3.4.20

OTP-23.3.4.3

OTP-23.3.4.4

OTP-23.3.4.5

OTP-23.3.4.6

OTP-23.3.4.7

OTP-23.3.4.8

OTP-23.3.4.9

OTP-24.*

OTP-24.0

OTP-24.0-rc1

OTP-24.0-rc2

OTP-24.0-rc3

OTP-24.0.1

OTP-24.0.2

OTP-24.0.3

OTP-24.0.4

OTP-24.0.5

OTP-24.0.6

OTP-24.1

OTP-24.1.1

OTP-24.1.2

OTP-24.1.3

OTP-24.1.4

OTP-24.1.5

OTP-24.1.6

OTP-24.1.7

OTP-24.2

OTP-24.2.1

OTP-24.2.2

OTP-24.3

OTP-24.3.1

OTP-24.3.2

OTP-24.3.3

OTP-24.3.4

OTP-24.3.4.1

OTP-24.3.4.10

OTP-24.3.4.11

OTP-24.3.4.12

OTP-24.3.4.13

OTP-24.3.4.14

OTP-24.3.4.15

OTP-24.3.4.16

OTP-24.3.4.17

OTP-24.3.4.2

OTP-24.3.4.3

OTP-24.3.4.4

OTP-24.3.4.5

OTP-24.3.4.6

OTP-24.3.4.7

OTP-24.3.4.8

OTP-24.3.4.9

OTP-25.*

OTP-25.0

OTP-25.0-rc1

OTP-25.0-rc2

OTP-25.0-rc3

OTP-25.0.1

OTP-25.0.2

OTP-25.0.3

OTP-25.0.4

OTP-25.1

OTP-25.1.1

OTP-25.1.2

OTP-25.1.2.1

OTP-25.2

OTP-25.2.1

OTP-25.2.2

OTP-25.2.3

OTP-25.3

OTP-25.3.1

OTP-25.3.2

OTP-25.3.2.1

OTP-25.3.2.10

OTP-25.3.2.11

OTP-25.3.2.12

OTP-25.3.2.13

OTP-25.3.2.14

OTP-25.3.2.15

OTP-25.3.2.16

OTP-25.3.2.17

OTP-25.3.2.18

OTP-25.3.2.2

OTP-25.3.2.3

OTP-25.3.2.4

OTP-25.3.2.5

OTP-25.3.2.6

OTP-25.3.2.7

OTP-25.3.2.8

OTP-25.3.2.9

OTP-26.*

OTP-26.0

OTP-26.0-rc1

OTP-26.0-rc2

OTP-26.0-rc3

OTP-26.0.1

OTP-26.0.2

OTP-26.1

OTP-26.1.1

OTP-26.1.2

OTP-26.2

OTP-26.2.1

OTP-26.2.2

OTP-26.2.3

OTP-26.2.4

OTP-26.2.5

OTP-26.2.5.1

OTP-26.2.5.10

OTP-26.2.5.11

OTP-26.2.5.12

OTP-26.2.5.13

OTP-26.2.5.14

OTP-26.2.5.2

OTP-26.2.5.3

OTP-26.2.5.4

OTP-26.2.5.5

OTP-26.2.5.6

OTP-26.2.5.7

OTP-26.2.5.8

OTP-26.2.5.9

OTP-27.*

OTP-27.0

OTP-27.0-rc1

OTP-27.0-rc2

OTP-27.0-rc3

OTP-27.0.1

OTP-27.1

OTP-27.1.1

OTP-27.1.2

OTP-27.1.3

OTP-27.2

OTP-27.2.1

OTP-27.2.2

OTP-27.2.3

OTP-27.2.4

OTP-27.3

OTP-27.3.1

OTP-27.3.2

OTP-27.3.3

OTP-27.3.4

Other

patch-base-24

patch-base-25

patch-base-26

patch-base-27