{"id":"CVE-2025-48039","summary":"Unverified Paths can Cause Excessive Use of System Resources","details":"Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl.\n\nThis issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.","aliases":["EEF-CVE-2025-48039","GHSA-rr5p-6856-j7h8"],"modified":"2026-05-21T03:54:33.442148299Z","published":"2025-09-11T08:13:36.878Z","related":["SUSE-SU-2026:0023-1","SUSE-SU-2026:0661-1","SUSE-SU-2026:20088-1","openSUSE-SU-2026:20043-1"],"database_specific":{"cwe_ids":["CWE-400","CWE-770"],"cna_assigner":"EEF","unresolved_ranges":[{"extracted_events":[{"introduced":"3.0.1"},{"fixed":"*"},{"introduced":"17.0"},{"fixed":"*"},{"introduced":"07b8f441ca711f9812fad9e9115bab3c3aa92f79"},{"fixed":"*"}],"source":"AFFECTED_FIELD"}],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/48xxx/CVE-2025-48039.json"},"references":[{"type":"WEB","url":"https://cna.erlef.org/cves/CVE-2025-48039.html"},{"type":"WEB","url":"https://github.com"},{"type":"WEB","url":"https://osv.dev/vulnerability/EEF-CVE-2025-48039"},{"type":"WEB","url":"https://www.erlang.org/doc/system/versions.html#order-of-versions"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/48xxx/CVE-2025-48039.json"},{"type":"ADVISORY","url":"https://github.com/erlang/otp/security/advisories/GHSA-rr5p-6856-j7h8"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-48039"},{"type":"FIX","url":"https://github.com/erlang/otp/commit/043ee3c943e2977c1acdd740ad13992fd60b6bf0"},{"type":"FIX","url":"https://github.com/erlang/otp/commit/c242e6458967e9514bea351814151695807a54ac"},{"type":"FIX","url":"https://github.com/erlang/otp/pull/10155"},{"type":"PACKAGE","url":"https://github.com/erlang/otp"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/erlang/otp","events":[{"introduced":"9e6f6742c4d9e9915ee8af0dcb7d97cf1f836116"},{"fixed":"756621cebe01ec43df61d9627380ca7e1e301c9b"}]}],"versions":["OTP-28.0","OTP-28.0.2","OTP-28.0.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-48039.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"}]}