EEF-CVE-2025-48041

See a problem?
Please try reporting it to the source first.
Source
https://cna.erlef.org/osv/EEF-CVE-2025-48041.html
Import Source
https://cna.erlef.org/osv/EEF-CVE-2025-48041.json
JSON Data
https://api.osv.dev/v1/vulns/EEF-CVE-2025-48041
Aliases
Published
2025-09-11T08:14:20.508Z
Modified
2026-04-07T15:00:15.620953Z
Severity
  • 7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
SSH_FXP_OPENDIR may Lead to Exhaustion of File Handles
Details

Summary

Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (sshsftp modules) allows Excessive Allocation, Flooding. This vulnerability is associated with program files lib/ssh/src/sshsftpd.erl.

This issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.

Workaround

  • disabling SFTP
    • limiting number of max_sessions allowed for sshd, so exploiting becomes more complicated

Configuration

The SFTP subsystem must be enabled on the SSH server and the SSH port must be reachable by the attacker. SFTP is enabled by default unless explicitly disabled by setting {subsystems, []} in the SSH daemon configuration.

Database specific 
{
    "cwe_ids": [
        "CWE-770",
        "CWE-400"
    ],
    "capec_ids": [
        "CAPEC-130",
        "CAPEC-125"
    ],
    "cpe_ids": [
        "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
    ]
}
References
Credits
    • Jakub Witczak - REMEDIATION_DEVELOPER
    • Ingela Andin - REMEDIATION_REVIEWER

Affected packages

Git / github.com/erlang/otp

Affected ranges

Type
GIT
Repo
https://github.com/erlang/otp
Events
Introduced
07b8f441ca711f9812fad9e9115bab3c3aa92f79
Fixed
5f9af63eec4657a37663828d206517828cb9f288
Fixed
d49efa2d4fa9e6f7ee658719cd76ffe7a33c2401

Affected versions

OTP-17.*
OTP-17.0
OTP-17.0.1
OTP-17.0.2
OTP-17.1
OTP-17.1.1
OTP-17.1.2
OTP-17.2
OTP-17.2.1
OTP-17.2.2
OTP-17.3
OTP-17.3.1
OTP-17.3.2
OTP-17.3.3
OTP-17.3.4
OTP-17.4
OTP-17.4.1
OTP-17.5
OTP-17.5.1
OTP-17.5.2
OTP-17.5.3
OTP-17.5.4
OTP-17.5.5
OTP-17.5.6
OTP-17.5.6.1
OTP-17.5.6.10
OTP-17.5.6.2
OTP-17.5.6.3
OTP-17.5.6.4
OTP-17.5.6.5
OTP-17.5.6.6
OTP-17.5.6.7
OTP-17.5.6.8
OTP-17.5.6.9
OTP-18.*
OTP-18.0
OTP-18.0-rc1
OTP-18.0-rc2
OTP-18.0.1
OTP-18.0.2
OTP-18.0.3
OTP-18.1
OTP-18.1.1
OTP-18.1.2
OTP-18.1.3
OTP-18.1.4
OTP-18.1.5
OTP-18.2
OTP-18.2.1
OTP-18.2.2
OTP-18.2.3
OTP-18.2.4
OTP-18.2.4.0.1
OTP-18.2.4.1
OTP-18.3
OTP-18.3.1
OTP-18.3.2
OTP-18.3.3
OTP-18.3.4
OTP-18.3.4.1
OTP-18.3.4.1.1
OTP-18.3.4.10
OTP-18.3.4.11
OTP-18.3.4.2
OTP-18.3.4.3
OTP-18.3.4.4
OTP-18.3.4.5
OTP-18.3.4.6
OTP-18.3.4.7
OTP-18.3.4.8
OTP-18.3.4.9
OTP-19.*
OTP-19.0
OTP-19.0-rc1
OTP-19.0-rc2
OTP-19.0.1
OTP-19.0.2
OTP-19.0.3
OTP-19.0.4
OTP-19.0.5
OTP-19.0.6
OTP-19.0.7
OTP-19.1
OTP-19.1.1
OTP-19.1.2
OTP-19.1.3
OTP-19.1.4
OTP-19.1.5
OTP-19.1.6
OTP-19.1.6.1
OTP-19.2
OTP-19.2.1
OTP-19.2.2
OTP-19.2.3
OTP-19.2.3.1
OTP-19.3
OTP-19.3.1
OTP-19.3.2
OTP-19.3.3
OTP-19.3.4
OTP-19.3.5
OTP-19.3.6
OTP-19.3.6.1
OTP-19.3.6.10
OTP-19.3.6.11
OTP-19.3.6.12
OTP-19.3.6.13
OTP-19.3.6.2
OTP-19.3.6.3
OTP-19.3.6.4
OTP-19.3.6.5
OTP-19.3.6.6
OTP-19.3.6.7
OTP-19.3.6.8
OTP-19.3.6.9
OTP-20.*
OTP-20.0
OTP-20.0-rc1
OTP-20.0-rc2
OTP-20.0.1
OTP-20.0.2
OTP-20.0.3
OTP-20.0.4
OTP-20.0.5
OTP-20.1
OTP-20.1.1
OTP-20.1.2
OTP-20.1.3
OTP-20.1.4
OTP-20.1.5
OTP-20.1.6
OTP-20.1.7
OTP-20.1.7.1
OTP-20.2
OTP-20.2.0.1
OTP-20.2.1
OTP-20.2.2
OTP-20.2.3
OTP-20.2.4
OTP-20.3
OTP-20.3.1
OTP-20.3.2
OTP-20.3.2.1
OTP-20.3.3
OTP-20.3.4
OTP-20.3.5
OTP-20.3.6
OTP-20.3.7
OTP-20.3.8
OTP-20.3.8.1
OTP-20.3.8.10
OTP-20.3.8.11
OTP-20.3.8.12
OTP-20.3.8.13
OTP-20.3.8.14
OTP-20.3.8.15
OTP-20.3.8.16
OTP-20.3.8.17
OTP-20.3.8.18
OTP-20.3.8.19
OTP-20.3.8.2
OTP-20.3.8.20
OTP-20.3.8.21
OTP-20.3.8.22
OTP-20.3.8.23
OTP-20.3.8.24
OTP-20.3.8.25
OTP-20.3.8.26
OTP-20.3.8.3
OTP-20.3.8.4
OTP-20.3.8.5
OTP-20.3.8.6
OTP-20.3.8.7
OTP-20.3.8.8
OTP-20.3.8.9
OTP-21.*
OTP-21.0
OTP-21.0-rc1
OTP-21.0-rc2
OTP-21.0.1
OTP-21.0.2
OTP-21.0.3
OTP-21.0.4
OTP-21.0.5
OTP-21.0.6
OTP-21.0.7
OTP-21.0.8
OTP-21.0.9
OTP-21.1
OTP-21.1.1
OTP-21.1.2
OTP-21.1.3
OTP-21.1.4
OTP-21.2
OTP-21.2.1
OTP-21.2.2
OTP-21.2.3
OTP-21.2.4
OTP-21.2.5
OTP-21.2.6
OTP-21.2.7
OTP-21.3
OTP-21.3.1
OTP-21.3.2
OTP-21.3.3
OTP-21.3.4
OTP-21.3.5
OTP-21.3.6
OTP-21.3.7
OTP-21.3.7.1
OTP-21.3.8
OTP-21.3.8.1
OTP-21.3.8.10
OTP-21.3.8.11
OTP-21.3.8.12
OTP-21.3.8.13
OTP-21.3.8.14
OTP-21.3.8.15
OTP-21.3.8.16
OTP-21.3.8.17
OTP-21.3.8.18
OTP-21.3.8.19
OTP-21.3.8.2
OTP-21.3.8.20
OTP-21.3.8.21
OTP-21.3.8.22
OTP-21.3.8.23
OTP-21.3.8.24
OTP-21.3.8.3
OTP-21.3.8.4
OTP-21.3.8.5
OTP-21.3.8.6
OTP-21.3.8.7
OTP-21.3.8.8
OTP-21.3.8.9
OTP-22.*
OTP-22.0
OTP-22.0-rc1
OTP-22.0-rc2
OTP-22.0-rc3
OTP-22.0.1
OTP-22.0.2
OTP-22.0.3
OTP-22.0.4
OTP-22.0.5
OTP-22.0.6
OTP-22.0.7
OTP-22.1
OTP-22.1.1
OTP-22.1.2
OTP-22.1.3
OTP-22.1.4
OTP-22.1.5
OTP-22.1.6
OTP-22.1.7
OTP-22.1.8
OTP-22.1.8.1
OTP-22.2
OTP-22.2.1
OTP-22.2.2
OTP-22.2.3
OTP-22.2.4
OTP-22.2.5
OTP-22.2.6
OTP-22.2.7
OTP-22.2.8
OTP-22.3
OTP-22.3.1
OTP-22.3.2
OTP-22.3.3
OTP-22.3.4
OTP-22.3.4.1
OTP-22.3.4.10
OTP-22.3.4.11
OTP-22.3.4.12
OTP-22.3.4.12.1
OTP-22.3.4.13
OTP-22.3.4.14
OTP-22.3.4.15
OTP-22.3.4.16
OTP-22.3.4.17
OTP-22.3.4.18
OTP-22.3.4.19
OTP-22.3.4.2
OTP-22.3.4.20
OTP-22.3.4.21
OTP-22.3.4.22
OTP-22.3.4.23
OTP-22.3.4.24
OTP-22.3.4.25
OTP-22.3.4.26
OTP-22.3.4.27
OTP-22.3.4.3
OTP-22.3.4.4
OTP-22.3.4.5
OTP-22.3.4.6
OTP-22.3.4.7
OTP-22.3.4.8
OTP-22.3.4.9
OTP-23.*
OTP-23.0
OTP-23.0-rc1
OTP-23.0-rc2
OTP-23.0-rc3
OTP-23.0.1
OTP-23.0.2
OTP-23.0.3
OTP-23.0.4
OTP-23.1
OTP-23.1.1
OTP-23.1.2
OTP-23.1.3
OTP-23.1.4
OTP-23.1.4.1
OTP-23.1.5
OTP-23.2
OTP-23.2.1
OTP-23.2.2
OTP-23.2.3
OTP-23.2.4
OTP-23.2.5
OTP-23.2.6
OTP-23.2.7
OTP-23.2.7.1
OTP-23.2.7.2
OTP-23.2.7.3
OTP-23.2.7.4
OTP-23.2.7.5
OTP-23.3
OTP-23.3.1
OTP-23.3.2
OTP-23.3.3
OTP-23.3.4
OTP-23.3.4.1
OTP-23.3.4.10
OTP-23.3.4.11
OTP-23.3.4.12
OTP-23.3.4.13
OTP-23.3.4.14
OTP-23.3.4.15
OTP-23.3.4.16
OTP-23.3.4.17
OTP-23.3.4.18
OTP-23.3.4.19
OTP-23.3.4.2
OTP-23.3.4.20
OTP-23.3.4.3
OTP-23.3.4.4
OTP-23.3.4.5
OTP-23.3.4.6
OTP-23.3.4.7
OTP-23.3.4.8
OTP-23.3.4.9
OTP-24.*
OTP-24.0
OTP-24.0-rc1
OTP-24.0-rc2
OTP-24.0-rc3
OTP-24.0.1
OTP-24.0.2
OTP-24.0.3
OTP-24.0.4
OTP-24.0.5
OTP-24.0.6
OTP-24.1
OTP-24.1.1
OTP-24.1.2
OTP-24.1.3
OTP-24.1.4
OTP-24.1.5
OTP-24.1.6
OTP-24.1.7
OTP-24.2
OTP-24.2.1
OTP-24.2.2
OTP-24.3
OTP-24.3.1
OTP-24.3.2
OTP-24.3.3
OTP-24.3.4
OTP-24.3.4.1
OTP-24.3.4.10
OTP-24.3.4.11
OTP-24.3.4.12
OTP-24.3.4.13
OTP-24.3.4.14
OTP-24.3.4.15
OTP-24.3.4.16
OTP-24.3.4.17
OTP-24.3.4.2
OTP-24.3.4.3
OTP-24.3.4.4
OTP-24.3.4.5
OTP-24.3.4.6
OTP-24.3.4.7
OTP-24.3.4.8
OTP-24.3.4.9
OTP-25.*
OTP-25.0
OTP-25.0-rc1
OTP-25.0-rc2
OTP-25.0-rc3
OTP-25.0.1
OTP-25.0.2
OTP-25.0.3
OTP-25.0.4
OTP-25.1
OTP-25.1.1
OTP-25.1.2
OTP-25.1.2.1
OTP-25.2
OTP-25.2.1
OTP-25.2.2
OTP-25.2.3
OTP-25.3
OTP-25.3.1
OTP-25.3.2
OTP-25.3.2.1
OTP-25.3.2.10
OTP-25.3.2.11
OTP-25.3.2.12
OTP-25.3.2.13
OTP-25.3.2.14
OTP-25.3.2.15
OTP-25.3.2.16
OTP-25.3.2.17
OTP-25.3.2.18
OTP-25.3.2.19
OTP-25.3.2.2
OTP-25.3.2.20
OTP-25.3.2.21
OTP-25.3.2.3
OTP-25.3.2.4
OTP-25.3.2.5
OTP-25.3.2.6
OTP-25.3.2.7
OTP-25.3.2.8
OTP-25.3.2.9
OTP-26.*
OTP-26.0
OTP-26.0-rc1
OTP-26.0-rc2
OTP-26.0-rc3
OTP-26.0.1
OTP-26.0.2
OTP-26.1
OTP-26.1.1
OTP-26.1.2
OTP-26.2
OTP-26.2.1
OTP-26.2.2
OTP-26.2.3
OTP-26.2.4
OTP-26.2.5
OTP-26.2.5.1
OTP-26.2.5.10
OTP-26.2.5.11
OTP-26.2.5.12
OTP-26.2.5.13
OTP-26.2.5.14
OTP-26.2.5.2
OTP-26.2.5.3
OTP-26.2.5.4
OTP-26.2.5.5
OTP-26.2.5.6
OTP-26.2.5.7
OTP-26.2.5.8
OTP-26.2.5.9
OTP-27.*
OTP-27.0
OTP-27.0-rc1
OTP-27.0-rc2
OTP-27.0-rc3
OTP-27.0.1
OTP-27.1
OTP-27.1.1
OTP-27.1.2
OTP-27.1.3
OTP-27.2
OTP-27.2.1
OTP-27.2.2
OTP-27.2.3
OTP-27.2.4
OTP-27.3
OTP-27.3.1
OTP-27.3.2
OTP-27.3.3
OTP-27.3.4
OTP-27.3.4.1
OTP-27.3.4.2
OTP-28.*
OTP-28.0
OTP-28.0-rc1
OTP-28.0-rc2
OTP-28.0-rc3
OTP-28.0-rc4
OTP-28.0.1
OTP-28.0.2
Other
patch-base-24
patch-base-25
patch-base-26
patch-base-27

Database specific

source 
"https://cna.erlef.org/osv/EEF-CVE-2025-48041.json"