CVE-2025-48040 in OTP
Summary
by MITRE • 09/11/2025
Uncontrolled Resource Consumption vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Flooding. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl.
This issue affects OTP from OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/06/2026
The CVE-2025-48040 vulnerability represents a critical uncontrolled resource consumption flaw within Erlang OTP's SSH implementation, specifically targeting the ssh_sftp modules. This vulnerability manifests as excessive memory allocation and flooding behaviors that can severely impact system stability and availability. The flaw exists in the lib/ssh/src/ssh_sftpd.erl program file, which serves as the core component responsible for SFTP server operations within the OTP framework. The vulnerability affects a substantial range of OTP versions from 17.0 through 28.0.3, including specific patched releases 27.3.4.3 and 26.2.5.15, with corresponding SSH versions 3.0.1 through 5.3.3, 5.2.11.3, and 5.1.4.12, indicating a long-standing issue that has persisted across multiple major releases.
The technical nature of this vulnerability stems from inadequate resource management within the SFTP server implementation, where malicious or malformed SFTP requests can trigger excessive memory allocation patterns that consume system resources at an unbounded rate. This type of vulnerability falls under CWE-400, which specifically addresses Uncontrolled Resource Consumption, and represents a classic example of a resource exhaustion attack that can lead to denial of service conditions. The flaw operates by allowing attackers to craft SFTP operations that cause the ssh_sftpd.erl module to allocate memory without proper bounds checking or rate limiting mechanisms. When exploited, these requests can cause the targeted system to consume all available memory resources, leading to system crashes, application hangs, or complete service unavailability. The vulnerability's impact is particularly severe because SFTP is commonly used for secure file transfers in enterprise environments, making it a prime target for attackers seeking to disrupt critical infrastructure services.
The operational impact of CVE-2025-48040 extends beyond simple denial of service scenarios, as it can potentially enable more sophisticated attack vectors within the broader ATT&CK framework. Systems running affected OTP versions become vulnerable to resource exhaustion attacks that can be leveraged to disrupt legitimate user access, impact business continuity, and potentially serve as a stepping stone for further exploitation. Organizations utilizing Erlang-based applications with SSH functionality, particularly those in financial services, healthcare, or critical infrastructure sectors, face significant risk exposure. The vulnerability's presence across multiple OTP releases means that even organizations with patch management systems may have systems running vulnerable versions, creating widespread exposure across enterprise networks. The attack surface is particularly broad given that SSH is a fundamental protocol used for remote system administration, secure file transfers, and automated system operations, making the potential impact of this vulnerability systemic rather than isolated.
Mitigation strategies for CVE-2025-48040 must address both immediate remediation and long-term architectural considerations. Organizations should prioritize upgrading to patched OTP versions, specifically targeting releases 27.3.4.3, 26.2.5.15, and 28.0.3, which contain the necessary fixes for the resource consumption issues. Network-level protections including rate limiting, connection throttling, and monitoring for unusual SFTP traffic patterns can provide additional defense-in-depth measures. Implementing proper resource limits and memory allocation controls within the SSH server configuration can help prevent unbounded resource consumption. Security teams should also consider implementing intrusion detection systems capable of identifying and alerting on suspicious SFTP activity patterns that may indicate exploitation attempts. The vulnerability's classification under CWE-400 emphasizes the importance of implementing proper input validation and resource management practices, while its potential mapping to ATT&CK techniques related to resource exhaustion and denial of service provides a framework for understanding the broader threat landscape. Regular security assessments and vulnerability scanning should include checks for affected OTP versions to ensure comprehensive coverage of this critical resource consumption vulnerability.