CVE-2025-48040

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-48040
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-48040.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-48040
Aliases
Downstream
Related
Published
2025-09-11T08:14:19.671Z
Modified
2026-05-21T03:53:53.475116906Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
Malicious Key Exchange Messages may Lead to Excessive Resource Consumption
Details

Uncontrolled Resource Consumption vulnerability in Erlang OTP ssh (sshsftp modules) allows Excessive Allocation, Flooding. This vulnerability is associated with program files lib/ssh/src/sshsftpd.erl.

This issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/48xxx/CVE-2025-48040.json",
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "3.0.1"
                },
                {
                    "fixed": "*"
                },
                {
                    "introduced": "17.0"
                },
                {
                    "fixed": "*"
                },
                {
                    "introduced": "07b8f441ca711f9812fad9e9115bab3c3aa92f79"
                },
                {
                    "fixed": "*"
                }
            ]
        }
    ],
    "cna_assigner": "EEF",
    "cwe_ids": [
        "CWE-400",
        "CWE-770"
    ]
}
References

Affected packages

Git / github.com/erlang/otp

Affected ranges

Type
GIT
Repo
https://github.com/erlang/otp
Events
Introduced
9e6f6742c4d9e9915ee8af0dcb7d97cf1f836116
Fixed
756621cebe01ec43df61d9627380ca7e1e301c9b

Affected versions

OTP-28.*
OTP-28.0
OTP-28.0.1
OTP-28.0.2

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-48040.json"