Refine your search
17 vulnerabilities found for otp by erlang
CVE-2026-28808 (GCVE-0-2026-28808)
Vulnerability from cvelistv5
Published
2026-04-07 12:28
Modified
2026-04-07 14:38
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization
Summary
Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias.
When script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect.
This vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl.
This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28808",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T13:14:10.515632Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T13:14:16.481Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"modules": [
"inets"
],
"packageName": "inets",
"packageURL": "pkg:otp/inets?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/http_server/mod_alias.erl",
"src/http_server/mod_auth.erl",
"src/http_server/mod_cgi.erl"
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "9.6.2",
"status": "unaffected"
},
{
"at": "9.3.2.4",
"status": "unaffected"
},
{
"at": "9.1.0.6",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "5.10",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"modules": [
"inets"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/inets/src/http_server/mod_alias.erl",
"lib/inets/src/http_server/mod_auth.erl",
"lib/inets/src/http_server/mod_cgi.erl"
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "28.4.2",
"status": "unaffected"
},
{
"at": "27.3.4.10",
"status": "unaffected"
},
{
"at": "26.2.5.19",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "17.0",
"versionType": "otp"
},
{
"changes": [
{
"at": "8fc71ac6af4fbcc54103bec2983ef22e82942688",
"status": "unaffected"
},
{
"at": "9dfa0c51eac97866078e808dec2183cb7871ff7c",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "07b8f441ca711f9812fad9e9115bab3c3aa92f79",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The inets httpd server must use \u003ctt\u003escript_alias\u003c/tt\u003e to map a URL prefix to a CGI directory, combined with \u003ctt\u003edirectory\u003c/tt\u003e-based access controls (e.g., \u003ctt\u003emod_auth\u003c/tt\u003e) protecting the \u003ctt\u003escript_alias\u003c/tt\u003e target path. The vulnerability applies whenever the \u003ctt\u003escript_alias\u003c/tt\u003e target path differs from \u003ctt\u003eDocumentRoot\u003c/tt\u003e + URL prefix."
}
],
"value": "The inets httpd server must use script_alias to map a URL prefix to a CGI directory, combined with directory-based access controls (e.g., mod_auth) protecting the script_alias target path. The vulnerability applies whenever the script_alias target path differs from DocumentRoot + URL prefix."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "26.2.5.19",
"versionStartIncluding": "17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.10",
"versionStartIncluding": "27.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.4.2",
"versionStartIncluding": "28.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Igor Morgenstern / Aisle Research"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Konrad Pietrzak"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by \u003ctt\u003edirectory\u003c/tt\u003e rules when served via \u003ctt\u003escript_alias\u003c/tt\u003e.\u003cp\u003eWhen \u003ctt\u003escript_alias\u003c/tt\u003e maps a URL prefix to a directory outside \u003ctt\u003eDocumentRoot\u003c/tt\u003e, \u003ctt\u003emod_auth\u003c/tt\u003e evaluates \u003ctt\u003edirectory\u003c/tt\u003e-based access controls against the \u003ctt\u003eDocumentRoot\u003c/tt\u003e-relative path while \u003ctt\u003emod_cgi\u003c/tt\u003e executes the script at the \u003ctt\u003eScriptAlias\u003c/tt\u003e-resolved path. This path mismatch allows unauthenticated access to CGI scripts that \u003ctt\u003edirectory\u003c/tt\u003e rules were meant to protect.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/inets/src/http_server/mod_alias.erl\u003c/tt\u003e, \u003ctt\u003elib/inets/src/http_server/mod_auth.erl\u003c/tt\u003e, and \u003ctt\u003elib/inets/src/http_server/mod_cgi.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6.\u003c/p\u003e"
}
],
"value": "Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias.\n\nWhen script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect.\n\nThis vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl.\n\nThis issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:38:09.190Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-3vhp-h532-mc3f"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-28808.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-28808"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/8fc71ac6af4fbcc54103bec2983ef22e82942688"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/9dfa0c51eac97866078e808dec2183cb7871ff7c"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "ScriptAlias CGI targets bypass directory auth in inets httpd (mod_auth vs mod_cgi path mismatch)",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003eMove CGI scripts inside \u003ctt\u003eDocumentRoot\u003c/tt\u003e and use \u003ctt\u003ealias\u003c/tt\u003e instead of \u003ctt\u003escript_alias\u003c/tt\u003e to ensure \u003ctt\u003emod_auth\u003c/tt\u003e resolves the correct path.\u003c/li\u003e\u003cli\u003eApply URL-based access controls at a reverse proxy layer to block unauthenticated access to the \u003ctt\u003escript_alias\u003c/tt\u003e URL prefix.\u003c/li\u003e\u003cli\u003eRemove \u003ctt\u003emod_cgi\u003c/tt\u003e from the httpd modules chain if CGI functionality is not required.\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "* Move CGI scripts inside DocumentRoot and use alias instead of script_alias to ensure mod_auth resolves the correct path.\n* Apply URL-based access controls at a reverse proxy layer to block unauthenticated access to the script_alias URL prefix.\n* Remove mod_cgi from the httpd modules chain if CGI functionality is not required."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-28808",
"datePublished": "2026-04-07T12:28:16.056Z",
"dateReserved": "2026-03-03T14:40:00.590Z",
"dateUpdated": "2026-04-07T14:38:09.190Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32144 (GCVE-0-2026-32144)
Vulnerability from cvelistv5
Published
2026-04-07 12:28
Modified
2026-04-07 14:38
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-295 - Improper Certificate Validation
Summary
Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_ocsp module) allows OCSP designated-responder authorization bypass via missing signature verification.
The OCSP response validation in public_key:pkix_ocsp_validate/5 does not verify that a CA-designated responder certificate was cryptographically signed by the issuing CA. Instead, it only checks that the responder certificate's issuer name matches the CA's subject name and that the certificate has the OCSPSigning extended key usage. An attacker who can intercept or control OCSP responses can create a self-signed certificate with a matching issuer name and the OCSPSigning EKU, and use it to forge OCSP responses that mark revoked certificates as valid.
This affects SSL/TLS clients using OCSP stapling, which may accept connections to servers with revoked certificates, potentially transmitting sensitive data to compromised servers. Applications using the public_key:pkix_ocsp_validate/5 API directly are also affected, with impact depending on usage context.
This vulnerability is associated with program files lib/public_key/src/pubkey_ocsp.erl and program routines pubkey_ocsp:is_authorized_responder/3.
This issue affects OTP from OTP 27.0 until OTP 28.4.2 and 27.3.4.10 corresponding to public_key from 1.16 until 1.20.3 and 1.17.1.2, and ssl from 11.2 until 11.5.4 and 11.2.12.7.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32144",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T13:15:14.355759Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T13:15:20.530Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"pubkey_ocsp"
],
"packageName": "public_key",
"packageURL": "pkg:otp/public_key?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/pubkey_ocsp.erl"
],
"programRoutines": [
{
"name": "pubkey_ocsp:is_authorized_responder/3"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "1.20.3",
"status": "unaffected"
},
{
"at": "1.17.1.2",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "1.16",
"versionType": "otp"
}
]
},
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"ssl_stapling"
],
"packageName": "ssl",
"packageURL": "pkg:otp/ssl?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/ssl_stapling.erl"
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "11.5.4",
"status": "unaffected"
},
{
"at": "11.2.12.7",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "11.2",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"pubkey_ocsp"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/public_key/src/pubkey_ocsp.erl"
],
"programRoutines": [
{
"name": "pubkey_ocsp:is_authorized_responder/3"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "28.4.2",
"status": "unaffected"
},
{
"at": "27.3.4.10",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "27.0",
"versionType": "otp"
},
{
"changes": [
{
"at": "ac7ff528be857c5d35eb29c7f24106e3a16d4891",
"status": "unaffected"
},
{
"at": "49033a6d93a5be0ee0dce04e1fb8b4ae7de1e0c0",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "601a012837ea0a5c8095bf24223132824177124d",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SSL/TLS must be configured with OCSP stapling enabled (e.g., \u003ctt\u003e{stapling, staple}\u003c/tt\u003e), or the application must call \u003ctt\u003epublic_key:pkix_ocsp_validate/5\u003c/tt\u003e directly. OCSP stapling is disabled by default (\u003ctt\u003e{stapling, no_staple}\u003c/tt\u003e)."
}
],
"value": "SSL/TLS must be configured with OCSP stapling enabled (e.g., {stapling, staple}), or the application must call public_key:pkix_ocsp_validate/5 directly. OCSP stapling is disabled by default ({stapling, no_staple})."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.10",
"versionStartIncluding": "27.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.4.2",
"versionStartIncluding": "28.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Igor Morgenstern / Aisle Research"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jakub Witczak"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Ingela Anderton Andin"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_ocsp module) allows OCSP designated-responder authorization bypass via missing signature verification.\u003cp\u003eThe OCSP response validation in \u003ctt\u003epublic_key:pkix_ocsp_validate/5\u003c/tt\u003e does not verify that a CA-designated responder certificate was cryptographically signed by the issuing CA. Instead, it only checks that the responder certificate\u0027s issuer name matches the CA\u0027s subject name and that the certificate has the OCSPSigning extended key usage. An attacker who can intercept or control OCSP responses can create a self-signed certificate with a matching issuer name and the OCSPSigning EKU, and use it to forge OCSP responses that mark revoked certificates as valid.\u003c/p\u003e\u003cp\u003eThis affects SSL/TLS clients using OCSP stapling, which may accept connections to servers with revoked certificates, potentially transmitting sensitive data to compromised servers. Applications using the \u003ctt\u003epublic_key:pkix_ocsp_validate/5\u003c/tt\u003e API directly are also affected, with impact depending on usage context.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/public_key/src/pubkey_ocsp.erl\u003c/tt\u003e and program routines \u003ctt\u003epubkey_ocsp:is_authorized_responder/3\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 27.0 until OTP 28.4.2 and 27.3.4.10 corresponding to public_key from 1.16 until 1.20.3 and 1.17.1.2, and ssl from 11.2 until 11.5.4 and 11.2.12.7.\u003c/p\u003e"
}
],
"value": "Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_ocsp module) allows OCSP designated-responder authorization bypass via missing signature verification.\n\nThe OCSP response validation in public_key:pkix_ocsp_validate/5 does not verify that a CA-designated responder certificate was cryptographically signed by the issuing CA. Instead, it only checks that the responder certificate\u0027s issuer name matches the CA\u0027s subject name and that the certificate has the OCSPSigning extended key usage. An attacker who can intercept or control OCSP responses can create a self-signed certificate with a matching issuer name and the OCSPSigning EKU, and use it to forge OCSP responses that mark revoked certificates as valid.\n\nThis affects SSL/TLS clients using OCSP stapling, which may accept connections to servers with revoked certificates, potentially transmitting sensitive data to compromised servers. Applications using the public_key:pkix_ocsp_validate/5 API directly are also affected, with impact depending on usage context.\n\nThis vulnerability is associated with program files lib/public_key/src/pubkey_ocsp.erl and program routines pubkey_ocsp:is_authorized_responder/3.\n\nThis issue affects OTP from OTP 27.0 until OTP 28.4.2 and 27.3.4.10 corresponding to public_key from 1.16 until 1.20.3 and 1.17.1.2, and ssl from 11.2 until 11.5.4 and 11.2.12.7."
}
],
"impacts": [
{
"capecId": "CAPEC-459",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-459 Creating a Rogue Certification Authority Certificate"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295 Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:38:03.763Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-gxrm-pf64-99xm"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-32144.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-32144"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/ac7ff528be857c5d35eb29c7f24106e3a16d4891"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/49033a6d93a5be0ee0dce04e1fb8b4ae7de1e0c0"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "OCSP designated-responder authorization bypass via missing signature verification",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cb\u003eFor SSL users:\u003c/b\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDo not enable OCSP validation setting (current default is \u003ctt\u003e{stapling, no_staple}\u003c/tt\u003e)\u003c/li\u003e\u003cli\u003eUse CRL-based revocation checking by setting the \u003ctt\u003e{crl_check, true}\u003c/tt\u003e SSL option instead\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cb\u003eFor applications using \u003ctt\u003epublic_key:pkix_ocsp_validate/5\u003c/tt\u003e directly:\u003c/b\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003ePass \u003ctt\u003e{is_trusted_responder_fun, Fun}\u003c/tt\u003e option with a function that validates trusted responder certificates\u003c/li\u003e\u003cli\u003eRestrict OCSP responder access to trusted endpoints via network controls (only applicable if you control the OCSP infrastructure)\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "For SSL users:\n\n* Do not enable OCSP validation setting (current default is {stapling, no_staple})\n* Use CRL-based revocation checking by setting the {crl_check, true} SSL option instead\n\nFor applications using public_key:pkix_ocsp_validate/5 directly:\n\n* Pass {is_trusted_responder_fun, Fun} option with a function that validates trusted responder certificates\n* Restrict OCSP responder access to trusted endpoints via network controls (only applicable if you control the OCSP infrastructure)"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-32144",
"datePublished": "2026-04-07T12:28:00.767Z",
"dateReserved": "2026-03-10T22:37:29.212Z",
"dateUpdated": "2026-04-07T14:38:03.763Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28810 (GCVE-0-2026-28810)
Vulnerability from cvelistv5
Published
2026-04-07 07:50
Modified
2026-04-08 04:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-340 - Generation of Predictable Numbers or Identifiers
Summary
Generation of Predictable Numbers or Identifiers vulnerability in Erlang/OTP kernel (inet_res, inet_db modules) allows DNS Cache Poisoning.
The built-in DNS resolver (inet_res) uses a sequential, process-global 16-bit transaction ID for UDP queries and does not implement source port randomization. Response validation relies almost entirely on this ID, making DNS cache poisoning practical for an attacker who can observe one query or predict the next ID. This conflicts with RFC 5452 recommendations for mitigating forged DNS answers.
inet_res is intended for use in trusted network environments and with trusted recursive resolvers. Earlier documentation did not clearly state this deployment assumption, which could lead users to deploy the resolver in environments where spoofed DNS responses are possible.
This vulnerability is associated with program files lib/kernel/src/inet_db.erl and lib/kernel/src/inet_res.erl.
This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to kernel from 3.0 until 10.6.2, 10.2.7.4 and 9.2.4.11.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28810",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T16:27:52.481723Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T16:28:02.947Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"inet_res",
"inet_db"
],
"packageName": "kernel",
"packageURL": "pkg:otp/kernel?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/inet_db.erl",
"src/inet_res.erl"
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "10.6.2",
"status": "unaffected"
},
{
"at": "10.2.7.4",
"status": "unaffected"
},
{
"at": "9.2.4.11",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "3.0",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"inet_res",
"inet_db"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/kernel/src/inet_db.erl",
"lib/kernel/src/inet_res.erl"
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "28.4.2",
"status": "unaffected"
},
{
"at": "27.3.4.10",
"status": "unaffected"
},
{
"at": "26.2.5.19",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "17.0",
"versionType": "otp"
},
{
"changes": [
{
"at": "36f23c9d2cc54afe83671dd7343596d7972839a5",
"status": "unaffected"
},
{
"at": "dd15e8eb03548c5e55e9915f0e91389ec6bad9fd",
"status": "unaffected"
},
{
"at": "b057a9d995017b1be50d6dc02edd52382f3231b8",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "07b8f441ca711f9812fad9e9115bab3c3aa92f79",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The application must use \u003ctt\u003einet_res\u003c/tt\u003e for DNS resolution, either by configuring the lookup method to include \u003ctt\u003edns\u003c/tt\u003e in the kernel inet configuration, or by calling \u003ctt\u003einet_res\u003c/tt\u003e functions directly. The default Erlang/OTP configuration uses native OS resolution and is not affected."
}
],
"value": "The application must use inet_res for DNS resolution, either by configuring the lookup method to include dns in the kernel inet configuration, or by calling inet_res functions directly. The default Erlang/OTP configuration uses native OS resolution and is not affected."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "26.2.5.19",
"versionStartIncluding": "17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.10",
"versionStartIncluding": "27.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.4.2",
"versionStartIncluding": "28.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Luigino Camastra / Aisle Research"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Raimo Niskanen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Generation of Predictable Numbers or Identifiers vulnerability in Erlang/OTP kernel (inet_res, inet_db modules) allows DNS Cache Poisoning.\u003cp\u003eThe built-in DNS resolver (\u003ctt\u003einet_res\u003c/tt\u003e) uses a sequential, process-global 16-bit transaction ID for UDP queries and does not implement source port randomization. Response validation relies almost entirely on this ID, making DNS cache poisoning practical for an attacker who can observe one query or predict the next ID. This conflicts with RFC 5452 recommendations for mitigating forged DNS answers.\u003c/p\u003e\u003cp\u003e\u003ctt\u003einet_res\u003c/tt\u003e is intended for use in trusted network environments and with trusted recursive resolvers. Earlier documentation did not clearly state this deployment assumption, which could lead users to deploy the resolver in environments where spoofed DNS responses are possible.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/kernel/src/inet_db.erl\u003c/tt\u003e and \u003ctt\u003elib/kernel/src/inet_res.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to kernel from 3.0 until 10.6.2, 10.2.7.4 and 9.2.4.11.\u003c/p\u003e"
}
],
"value": "Generation of Predictable Numbers or Identifiers vulnerability in Erlang/OTP kernel (inet_res, inet_db modules) allows DNS Cache Poisoning.\n\nThe built-in DNS resolver (inet_res) uses a sequential, process-global 16-bit transaction ID for UDP queries and does not implement source port randomization. Response validation relies almost entirely on this ID, making DNS cache poisoning practical for an attacker who can observe one query or predict the next ID. This conflicts with RFC 5452 recommendations for mitigating forged DNS answers.\n\ninet_res is intended for use in trusted network environments and with trusted recursive resolvers. Earlier documentation did not clearly state this deployment assumption, which could lead users to deploy the resolver in environments where spoofed DNS responses are possible.\n\nThis vulnerability is associated with program files lib/kernel/src/inet_db.erl and lib/kernel/src/inet_res.erl.\n\nThis issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to kernel from 3.0 until 10.6.2, 10.2.7.4 and 9.2.4.11."
}
],
"impacts": [
{
"capecId": "CAPEC-142",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-142 DNS Cache Poisoning"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-340",
"description": "CWE-340 Generation of Predictable Numbers or Identifiers",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T04:08:49.797Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-v884-5jg5-whj8"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-28810.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-28810"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/36f23c9d2cc54afe83671dd7343596d7972839a5"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/dd15e8eb03548c5e55e9915f0e91389ec6bad9fd"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/b057a9d995017b1be50d6dc02edd52382f3231b8"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Predictable DNS Transaction IDs Enable Cache Poisoning in Built-in Resolver",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Install the Erlang nodes in a trusted network shielded from DNS reply spoofing by firewalls, and configure the \u003ctt\u003einet_res\u003c/tt\u003e resolver to only talk to trusted recursive name servers within that network."
}
],
"value": "Install the Erlang nodes in a trusted network shielded from DNS reply spoofing by firewalls, and configure the inet_res resolver to only talk to trusted recursive name servers within that network."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-28810",
"datePublished": "2026-04-07T07:50:11.072Z",
"dateReserved": "2026-03-03T14:40:00.590Z",
"dateUpdated": "2026-04-08T04:08:49.797Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23941 (GCVE-0-2026-23941)
Vulnerability from cvelistv5
Published
2026-03-13 09:11
Modified
2026-04-07 14:38
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Summary
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Erlang OTP (inets httpd module) allows HTTP Request Smuggling.
This vulnerability is associated with program files lib/inets/src/http_server/httpd_request.erl and program routines httpd_request:parse_headers/7.
The server does not reject or normalize duplicate Content-Length headers. The earliest Content-Length in the request is used for body parsing while common reverse proxies (nginx, Apache httpd, Envoy) honor the last Content-Length value. This violates RFC 9112 Section 6.3 and allows front-end/back-end desynchronization, leaving attacker-controlled bytes queued as the start of the next request.
This issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to inets from 5.10 until 9.6.1, 9.3.2.3 and 9.1.0.5.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23941",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-13T16:00:50.466386Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T16:00:56.733Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"httpd_request"
],
"packageName": "inets",
"packageURL": "pkg:otp/inets?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/http_server/httpd_request.erl"
],
"programRoutines": [
{
"name": "httpd_request:parse_headers/7"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "9.6.1",
"status": "unaffected"
},
{
"at": "9.3.2.3",
"status": "unaffected"
},
{
"at": "9.1.0.5",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "5.10",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"httpd_request"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/inets/src/http_server/httpd_request.erl"
],
"programRoutines": [
{
"name": "httpd_request:parse_headers/7"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "28.4.1",
"status": "unaffected"
},
{
"at": "27.3.4.9",
"status": "unaffected"
},
{
"at": "26.2.5.18",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "17.0",
"versionType": "otp"
},
{
"changes": [
{
"at": "a4b46336fd25aa100ac602eb9a627aaead7eda18",
"status": "unaffected"
},
{
"at": "a761d391d8d08316cbd7d4a86733ba932b73c45b",
"status": "unaffected"
},
{
"at": "e775a332f623851385ab6ddb866d9b150612ddf6",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The inets httpd server must be deployed behind a reverse proxy that honors a different Content-Length header than httpd (e.g., last vs. first). HTTP keep-alive must be enabled (the default)."
}
],
"value": "The inets httpd server must be deployed behind a reverse proxy that honors a different Content-Length header than httpd (e.g., last vs. first). HTTP keep-alive must be enabled (the default)."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "26.2.5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.9",
"versionStartIncluding": "27.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.4.1",
"versionStartIncluding": "28.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Luigino Camastra / Aisle Research"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Konrad Pietrzak"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027) vulnerability in Erlang OTP (inets httpd module) allows HTTP Request Smuggling.\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/inets/src/http_server/httpd_request.erl\u003c/tt\u003e and program routines \u003ctt\u003ehttpd_request:parse_headers/7\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThe server does not reject or normalize duplicate Content-Length headers. The earliest Content-Length in the request is used for body parsing while common reverse proxies (nginx, Apache httpd, Envoy) honor the last Content-Length value. This violates RFC 9112 Section 6.3 and allows front-end/back-end desynchronization, leaving attacker-controlled bytes queued as the start of the next request.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to inets from 5.10 until 9.6.1, 9.3.2.3 and 9.1.0.5.\u003c/p\u003e"
}
],
"value": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027) vulnerability in Erlang OTP (inets httpd module) allows HTTP Request Smuggling.\n\nThis vulnerability is associated with program files lib/inets/src/http_server/httpd_request.erl and program routines httpd_request:parse_headers/7.\n\nThe server does not reject or normalize duplicate Content-Length headers. The earliest Content-Length in the request is used for body parsing while common reverse proxies (nginx, Apache httpd, Envoy) honor the last Content-Length value. This violates RFC 9112 Section 6.3 and allows front-end/back-end desynchronization, leaving attacker-controlled bytes queued as the start of the next request.\n\nThis issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to inets from 5.10 until 9.6.1, 9.3.2.3 and 9.1.0.5."
}
],
"impacts": [
{
"capecId": "CAPEC-33",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-33 HTTP Request Smuggling"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:38:08.041Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-w4jc-9wpv-pqh7"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-23941.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-23941"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/a4b46336fd25aa100ac602eb9a627aaead7eda18"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/a761d391d8d08316cbd7d4a86733ba932b73c45b"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/e775a332f623851385ab6ddb866d9b150612ddf6"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Request smuggling via first-wins Content-Length parsing in inets httpd",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003eConfigure frontend proxy to reject requests with duplicate Content-Length headers.\u003c/li\u003e\u003cli\u003eDisable HTTP keep-alive on httpd by adding \u003ctt\u003e{keep_alive, false}\u003c/tt\u003e to httpd configuration. Note: This impacts performance for clients making multiple requests.\u003c/li\u003e\u003cli\u003eDeploy a Web Application Firewall (WAF) configured to reject requests with multiple Content-Length headers.\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "* Configure frontend proxy to reject requests with duplicate Content-Length headers.\n* Disable HTTP keep-alive on httpd by adding `{keep_alive, false}` to httpd configuration. Note: This impacts performance for clients making multiple requests.\n* Deploy a Web Application Firewall (WAF) configured to reject requests with multiple Content-Length headers."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-23941",
"datePublished": "2026-03-13T09:11:58.175Z",
"dateReserved": "2026-01-19T14:23:14.343Z",
"dateUpdated": "2026-04-07T14:38:08.041Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23943 (GCVE-0-2026-23943)
Vulnerability from cvelistv5
Published
2026-03-13 09:11
Modified
2026-04-07 14:38
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
Summary
Improper Handling of Highly Compressed Data (Compression Bomb) vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial of Service via Resource Depletion.
The SSH transport layer advertises legacy zlib compression by default and inflates attacker-controlled payloads pre-authentication without any size limit, enabling reliable memory exhaustion DoS.
Two compression algorithms are affected:
* zlib: Activates immediately after key exchange, enabling unauthenticated attacks
* zlib@openssh.com: Activates post-authentication, enabling authenticated attacks
Each SSH packet can decompress ~255 MB from 256 KB of wire data (1029:1 amplification ratio). Multiple packets can rapidly exhaust available memory, causing OOM kills in memory-constrained environments.
This vulnerability is associated with program files lib/ssh/src/ssh_transport.erl and program routines ssh_transport:decompress/2, ssh_transport:handle_packet_part/4.
This issue affects OTP from OTP 17.0 until OTP 28.4.1, 27.3.4.9 and 26.2.5.18 corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23943",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-13T16:01:40.898658Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T16:01:48.609Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"ssh_transport"
],
"packageName": "ssh",
"packageURL": "pkg:otp/ssh?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/ssh_transport.erl"
],
"programRoutines": [
{
"name": "ssh_transport:decompress/2"
},
{
"name": "ssh_transport:handle_packet_part/4"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "5.5.1",
"status": "unaffected"
},
{
"at": "5.2.11.6",
"status": "unaffected"
},
{
"at": "5.1.4.14",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "3.0.1",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"ssh_transport"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/ssh/src/ssh_transport.erl"
],
"programRoutines": [
{
"name": "ssh_transport:decompress/2"
},
{
"name": "ssh_transport:handle_packet_part/4"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "28.4.1",
"status": "unaffected"
},
{
"at": "27.3.4.9",
"status": "unaffected"
},
{
"at": "26.2.5.18",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "17.0",
"versionType": "otp"
},
{
"changes": [
{
"at": "43a87b949bdff12d629a8c34146711d9da93b1b1",
"status": "unaffected"
},
{
"at": "93073c3bd338c60cd2bae715ce6a1d4ffc1a8fd3",
"status": "unaffected"
},
{
"at": "0c1c04b191f6ab940e8fcfabce39eb5a8a6440a4",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "07b8f441ca711f9812fad9e9115bab3c3aa92f79",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The SSH server or client must advertise \u003ctt\u003ezlib\u003c/tt\u003e or \u003ctt\u003ezlib@openssh.com\u003c/tt\u003e compression. Both are enabled by default. With \u003ctt\u003ezlib\u003c/tt\u003e, the attack is pre-authentication; with \u003ctt\u003ezlib@openssh.com\u003c/tt\u003e, authentication is required first."
}
],
"value": "The SSH server or client must advertise zlib or zlib@openssh.com compression. Both are enabled by default. With zlib, the attack is pre-authentication; with zlib@openssh.com, authentication is required first."
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Igor Morgenstern / Aisle Research"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Micha\u0142 W\u0105sowski"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Jakub Witczak"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Handling of Highly Compressed Data (Compression Bomb) vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial of Service via Resource Depletion.\u003cp\u003eThe SSH transport layer advertises legacy zlib compression by default and inflates attacker-controlled payloads pre-authentication without any size limit, enabling reliable memory exhaustion DoS.\u003c/p\u003e\u003cp\u003eTwo compression algorithms are affected:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cb\u003ezlib:\u003c/b\u003e Activates immediately after key exchange, enabling unauthenticated attacks\u003c/li\u003e\u003cli\u003e\u003cb\u003ezlib@openssh.com:\u003c/b\u003e Activates post-authentication, enabling authenticated attacks\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eEach SSH packet can decompress ~255 MB from 256 KB of wire data (1029:1 amplification ratio). Multiple packets can rapidly exhaust available memory, causing OOM kills in memory-constrained environments.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/ssh/src/ssh_transport.erl\u003c/tt\u003e and program routines \u003ctt\u003essh_transport:decompress/2\u003c/tt\u003e, \u003ctt\u003essh_transport:handle_packet_part/4\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 until OTP 28.4.1, 27.3.4.9 and 26.2.5.18 corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14.\u003c/p\u003e"
}
],
"value": "Improper Handling of Highly Compressed Data (Compression Bomb) vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial of Service via Resource Depletion.\n\nThe SSH transport layer advertises legacy zlib compression by default and inflates attacker-controlled payloads pre-authentication without any size limit, enabling reliable memory exhaustion DoS.\n\nTwo compression algorithms are affected:\n\n* zlib: Activates immediately after key exchange, enabling unauthenticated attacks\n* zlib@openssh.com: Activates post-authentication, enabling authenticated attacks\n\nEach SSH packet can decompress ~255 MB from 256 KB of wire data (1029:1 amplification ratio). Multiple packets can rapidly exhaust available memory, causing OOM kills in memory-constrained environments.\n\nThis vulnerability is associated with program files lib/ssh/src/ssh_transport.erl and program routines ssh_transport:decompress/2, ssh_transport:handle_packet_part/4.\n\nThis issue affects OTP from OTP 17.0 until OTP 28.4.1, 27.3.4.9 and 26.2.5.18 corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
},
{
"capecId": "CAPEC-490",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-490 Amplification"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-409",
"description": "CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:38:05.652Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-c836-qprm-jw9r"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-23943.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-23943"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/43a87b949bdff12d629a8c34146711d9da93b1b1"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/93073c3bd338c60cd2bae715ce6a1d4ffc1a8fd3"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/0c1c04b191f6ab940e8fcfabce39eb5a8a6440a4"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Pre-auth SSH DoS via unbounded zlib inflate",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cb\u003eBest workaround - Disable all compression:\u003c/b\u003e\u003c/p\u003e\u003cpre\u003e{preferred_algorithms, [{compression, [\u0027none\u0027]}]}\u003c/pre\u003e\u003cp\u003e\u003cb\u003eAlternative mitigations (less secure):\u003c/b\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDisable only pre-auth zlib compression (authenticated users can still exploit via zlib@openssh.com):\u003cpre\u003e{modify_algorithms, [{rm, [{compression, [\u0027zlib\u0027]}]}]}\u003c/pre\u003e\u003c/li\u003e\u003cli\u003eLimit concurrent sessions (reduces attack surface but does not prevent exploitation):\u003cpre\u003e{max_sessions, N} % Cap total concurrent sessions (default is infinity)\u003c/pre\u003e\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "Best workaround - Disable all compression:\n\n{preferred_algorithms, [{compression, [\u0027none\u0027]}]}\n\nAlternative mitigations (less secure):\n\n* Disable only pre-auth zlib compression (authenticated users can still exploit via zlib@openssh.com):\n {modify_algorithms, [{rm, [{compression, [\u0027zlib\u0027]}]}]}\n* Limit concurrent sessions (reduces attack surface but does not prevent exploitation):\n {max_sessions, N} % Cap total concurrent sessions (default is infinity)"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-23943",
"datePublished": "2026-03-13T09:11:57.794Z",
"dateReserved": "2026-01-19T14:23:14.343Z",
"dateUpdated": "2026-04-07T14:38:05.652Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23942 (GCVE-0-2026-23942)
Vulnerability from cvelistv5
Published
2026-03-13 09:11
Modified
2026-04-07 14:38
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (ssh_sftpd module) allows Path Traversal.
This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routines ssh_sftpd:is_within_root/2.
The SFTP server uses string prefix matching via lists:prefix/2 rather than proper path component validation when checking if a path is within the configured root directory. This allows authenticated users to access sibling directories that share a common name prefix with the configured root directory. For example, if root is set to /home/user1, paths like /home/user10 or /home/user1_backup would incorrectly be considered within the root.
This issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23942",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-13T16:02:31.222384Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T16:02:38.388Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"ssh_sftpd"
],
"packageName": "ssh",
"packageURL": "pkg:otp/ssh?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/ssh_sftpd.erl"
],
"programRoutines": [
{
"name": "ssh_sftpd:is_within_root/2"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "5.5.1",
"status": "unaffected"
},
{
"at": "5.2.11.6",
"status": "unaffected"
},
{
"at": "5.1.4.14",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "3.0.1",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"ssh_sftpd"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/ssh/src/ssh_sftpd.erl"
],
"programRoutines": [
{
"name": "ssh_sftpd:is_within_root/2"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "28.4.1",
"status": "unaffected"
},
{
"at": "27.3.4.9",
"status": "unaffected"
},
{
"at": "26.2.5.18",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "17.0",
"versionType": "otp"
},
{
"changes": [
{
"at": "27688a824f753d4c16371dc70e88753fb410590b",
"status": "unaffected"
},
{
"at": "9e0ac85d3485e7898e0da88a14be0ee2310a3b28",
"status": "unaffected"
},
{
"at": "5ed603a1211b83b8be2d1fc06d3f3bf30c3c9759",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The SFTP subsystem must be enabled on the SSH server, the SSH port must be reachable by the attacker, and a root directory must be configured. This is the case when \u003ctt\u003essh_sftpd\u003c/tt\u003e is included in the \u003ctt\u003esubsystems\u003c/tt\u003e option with a \u003ctt\u003eroot\u003c/tt\u003e parameter and there exist sibling directories sharing the same name prefix as the root."
}
],
"value": "The SFTP subsystem must be enabled on the SSH server, the SSH port must be reachable by the attacker, and a root directory must be configured. This is the case when ssh_sftpd is included in the subsystems option with a root parameter and there exist sibling directories sharing the same name prefix as the root."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "26.2.5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.9",
"versionStartIncluding": "27.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.4.1",
"versionStartIncluding": "28.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Luigino Camastra / Aisle Research"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jakub Witczak"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Micha\u0142 W\u0105sowski"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in Erlang OTP (ssh_sftpd module) allows Path Traversal.\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/ssh/src/ssh_sftpd.erl\u003c/tt\u003e and program routines \u003ctt\u003essh_sftpd:is_within_root/2\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThe SFTP server uses string prefix matching via \u003ctt\u003elists:prefix/2\u003c/tt\u003e rather than proper path component validation when checking if a path is within the configured root directory. This allows authenticated users to access sibling directories that share a common name prefix with the configured root directory. For example, if root is set to \u003ctt\u003e/home/user1\u003c/tt\u003e, paths like \u003ctt\u003e/home/user10\u003c/tt\u003e or \u003ctt\u003e/home/user1_backup\u003c/tt\u003e would incorrectly be considered within the root.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14.\u003c/p\u003e"
}
],
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in Erlang OTP (ssh_sftpd module) allows Path Traversal.\n\nThis vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routines ssh_sftpd:is_within_root/2.\n\nThe SFTP server uses string prefix matching via lists:prefix/2 rather than proper path component validation when checking if a path is within the configured root directory. This allows authenticated users to access sibling directories that share a common name prefix with the configured root directory. For example, if root is set to /home/user1, paths like /home/user10 or /home/user1_backup would incorrectly be considered within the root.\n\nThis issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:38:09.705Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-4749-w85x-hw9h"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-23942.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-23942"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/27688a824f753d4c16371dc70e88753fb410590b"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/9e0ac85d3485e7898e0da88a14be0ee2310a3b28"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/5ed603a1211b83b8be2d1fc06d3f3bf30c3c9759"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SFTP root escape via component-agnostic prefix check in ssh_sftpd",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003eUse OS-level chroot to run the Erlang VM/SFTP server process in an isolated filesystem environment.\u003c/li\u003e\u003cli\u003eEnsure that no sensitive or precious data is readable or writable by the OS user running the Erlang VM.\u003c/li\u003e\u003cli\u003eEnsure that the SFTP server port is not reachable from untrusted machines.\u003c/li\u003e\u003cli\u003eUse directory naming conventions that avoid common prefixes (e.g., \u003ctt\u003e/home/users/alice/\u003c/tt\u003e instead of \u003ctt\u003e/home/user1/\u003c/tt\u003e).\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "* Use OS-level chroot to run the Erlang VM/SFTP server process in an isolated filesystem environment.\n* Ensure that no sensitive or precious data is readable or writable by the OS user running the Erlang VM.\n* Ensure that the SFTP server port is not reachable from untrusted machines.\n* Use directory naming conventions that avoid common prefixes (e.g., /home/users/alice/ instead of /home/user1/)."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-23942",
"datePublished": "2026-03-13T09:11:56.424Z",
"dateReserved": "2026-01-19T14:23:14.343Z",
"dateUpdated": "2026-04-07T14:38:09.705Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21620 (GCVE-0-2026-21620)
Vulnerability from cvelistv5
Published
2026-02-20 10:57
Modified
2026-04-07 14:38
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-23 - Relative Path Traversal
Summary
Relative Path Traversal, Improper Isolation or Compartmentalization vulnerability in erlang otp erlang/otp (tftp_file modules), erlang otp inets (tftp_file modules), erlang otp tftp (tftp_file modules) allows Relative Path Traversal. This vulnerability is associated with program files lib/tftp/src/tftp_file.erl, src/tftp_file.erl.
This issue affects otp: from 17.0, from 07b8f441ca711f9812fad9e9115bab3c3aa92f79; otp: from 5.10 before 7.0; otp: from 1.0.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21620",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-20T13:36:03.423294Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T13:36:39.878Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"tftp_file"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/tftp/src/tftp_file.erl"
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "26.2.5.17",
"status": "unaffected"
},
{
"at": "27.3.4.8",
"status": "unaffected"
},
{
"at": "28.3.2",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "17.0",
"versionType": "otp"
},
{
"changes": [
{
"at": "655fb95725ba2fb811740b57e106873833824344",
"status": "unaffected"
},
{
"at": "3970738f687325138eb75f798054fa8960ac354e",
"status": "unaffected"
},
{
"at": "696fdec922661d4a3cc528fc34bc24fae8d4ad8a",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "07b8f441ca711f9812fad9e9115bab3c3aa92f79",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"tftp_file"
],
"packageName": "inets",
"packageURL": "pkg:otp/inets?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/tftp_file.erl"
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"lessThan": "7.0",
"status": "affected",
"version": "5.10",
"versionType": "otp"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"tftp_file"
],
"packageName": "tftp",
"packageURL": "pkg:otp/tftp?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/tftp_file.erl"
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "1.1.1.1",
"status": "unaffected"
},
{
"at": "1.2.2.1",
"status": "unaffected"
},
{
"at": "1.2.4",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "1.0",
"versionType": "otp"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A TFTP server must be started and the TFTP port must be reachable by the attacker, using the \u003ctt\u003etftp\u003c/tt\u003e application (or the legacy \u003ctt\u003einets\u003c/tt\u003e TFTP service) with the \u003ctt\u003etftp_file\u003c/tt\u003e callback module configured with the \u003ctt\u003e{root_dir, Dir}\u003c/tt\u003e option."
}
],
"value": "A TFTP server must be started and the TFTP port must be reachable by the attacker, using the tftp application (or the legacy inets TFTP service) with the tftp_file callback module configured with the {root_dir, Dir} option."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "26.2.5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.8",
"versionStartIncluding": "27.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.3.2",
"versionStartIncluding": "28.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Luigino Camastra"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Jakub Witczak"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Raimo Niskanen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Relative Path Traversal, Improper Isolation or Compartmentalization vulnerability in erlang otp erlang/otp (tftp_file modules), erlang otp inets (tftp_file modules), erlang otp tftp (tftp_file modules) allows Relative Path Traversal.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003elib/tftp/src/tftp_file.erl\u003c/tt\u003e, \u003ctt\u003esrc/tftp_file.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects otp: from 17.0, from 07b8f441ca711f9812fad9e9115bab3c3aa92f79; otp: from 5.10 before 7.0; otp: from 1.0.\u003c/p\u003e"
}
],
"value": "Relative Path Traversal, Improper Isolation or Compartmentalization vulnerability in erlang otp erlang/otp (tftp_file modules), erlang otp inets (tftp_file modules), erlang otp tftp (tftp_file modules) allows Relative Path Traversal. This vulnerability is associated with program files lib/tftp/src/tftp_file.erl, src/tftp_file.erl.\n\nThis issue affects otp: from 17.0, from 07b8f441ca711f9812fad9e9115bab3c3aa92f79; otp: from 5.10 before 7.0; otp: from 1.0."
}
],
"impacts": [
{
"capecId": "CAPEC-139",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-139 Relative Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23 Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:38:08.771Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-hmrc-prh3-rpvp"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-21620.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-21620"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/pull/10706"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/696fdec922661d4a3cc528fc34bc24fae8d4ad8a"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/3970738f687325138eb75f798054fa8960ac354e"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/655fb95725ba2fb811740b57e106873833824344"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "TFTP Path Traversal",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-21620",
"datePublished": "2026-02-20T10:57:08.620Z",
"dateReserved": "2026-01-01T03:46:45.934Z",
"dateUpdated": "2026-04-07T14:38:08.771Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-48041 (GCVE-0-2025-48041)
Vulnerability from cvelistv5
Published
2025-09-11 08:14
Modified
2026-04-07 14:38
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Flooding. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl.
This issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48041",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-11T13:30:20.449625Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T14:36:24.389Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"ssh_sftp"
],
"packageName": "ssh",
"packageURL": "pkg:otp/ssh?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"lib/ssh/src/ssh_sftpd.erl"
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "5.3.3",
"status": "unaffected"
},
{
"at": "5.2.11.3",
"status": "unaffected"
},
{
"at": "5.1.4.12",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "3.0.1",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"ssh_sftp"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/ssh/src/ssh_sftpd.erl"
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "28.0.3",
"status": "unaffected"
},
{
"at": "27.3.4.3",
"status": "unaffected"
},
{
"at": "26.2.5.15",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "17.0",
"versionType": "otp"
},
{
"changes": [
{
"at": "5f9af63eec4657a37663828d206517828cb9f288",
"status": "unaffected"
},
{
"at": "d49efa2d4fa9e6f7ee658719cd76ffe7a33c2401",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "07b8f441ca711f9812fad9e9115bab3c3aa92f79",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The SFTP subsystem must be enabled on the SSH server and the SSH port must be reachable by the attacker. SFTP is enabled by default unless explicitly disabled by setting \u003ctt\u003e{subsystems, []}\u003c/tt\u003e in the SSH daemon configuration."
}
],
"value": "The SFTP subsystem must be enabled on the SSH server and the SSH port must be reachable by the attacker. SFTP is enabled by default unless explicitly disabled by setting {subsystems, []} in the SSH daemon configuration."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "26.2.5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.3",
"versionStartIncluding": "27.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.0.3",
"versionStartIncluding": "28.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "remediation developer",
"value": "Jakub Witczak"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Ingela Andin"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Flooding.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003elib/ssh/src/ssh_sftpd.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.\u003c/p\u003e"
}
],
"value": "Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Flooding. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl.\n\nThis issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
},
{
"capecId": "CAPEC-125",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-125 Flooding"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:38:02.322Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-79c4-cvv7-4qm3"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2025-48041.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2025-48041"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/pull/10157"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/5f9af63eec4657a37663828d206517828cb9f288"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/d49efa2d4fa9e6f7ee658719cd76ffe7a33c2401"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "SSH_FXP_OPENDIR may Lead to Exhaustion of File Handles",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003edisabling SFTP\u003ctt\u003e\u003c/tt\u003e\u003c/li\u003e\u003cli\u003elimiting number of \u003ctt\u003emax_sessions\u003c/tt\u003e allowed for \u003ctt\u003esshd\u003c/tt\u003e, so exploiting becomes more complicated\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "* disabling SFTP\n * limiting number of max_sessions allowed for sshd, so exploiting becomes more complicated"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2025-48041",
"datePublished": "2025-09-11T08:14:20.508Z",
"dateReserved": "2025-05-15T08:40:25.455Z",
"dateUpdated": "2026-04-07T14:38:02.322Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-48040 (GCVE-0-2025-48040)
Vulnerability from cvelistv5
Published
2025-09-11 08:14
Modified
2026-04-06 16:44
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Uncontrolled Resource Consumption vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Flooding. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl.
This issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48040",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-11T13:30:33.529743Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T14:36:29.640Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"ssh_sftp"
],
"packageName": "ssh",
"packageURL": "pkg:otp/ssh?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"lib/ssh/src/ssh_sftpd.erl"
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "5.3.3",
"status": "unaffected"
},
{
"at": "5.2.11.3",
"status": "unaffected"
},
{
"at": "5.1.4.12",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "3.0.1",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"ssh_sftp"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/ssh/src/ssh_sftpd.erl"
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "28.0.3",
"status": "unaffected"
},
{
"at": "27.3.4.3",
"status": "unaffected"
},
{
"at": "26.2.5.15",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "17.0",
"versionType": "otp"
},
{
"changes": [
{
"at": "7cd7abb7e19e16b027eaee6a54e1f6fbbe21181a",
"status": "unaffected"
},
{
"at": "548f1295d86d0803da884db8685cc16d461d0d5a",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "07b8f441ca711f9812fad9e9115bab3c3aa92f79",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "26.2.5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.3",
"versionStartIncluding": "27.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.0.3",
"versionStartIncluding": "28.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "remediation developer",
"value": "Jakub Witczak"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Ingela Andin"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Uncontrolled Resource Consumption vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Flooding.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003elib/ssh/src/ssh_sftpd.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.\u003c/p\u003e"
}
],
"value": "Uncontrolled Resource Consumption vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Flooding. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl.\n\nThis issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
},
{
"capecId": "CAPEC-125",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-125 Flooding"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T16:44:01.688Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-h7rg-6rjg-4cph"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2025-48040.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2025-48040"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/pull/10162"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/7cd7abb7e19e16b027eaee6a54e1f6fbbe21181a"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/548f1295d86d0803da884db8685cc16d461d0d5a"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Malicious Key Exchange Messages may Lead to Excessive Resource Consumption",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003eset option \u003ctt\u003eparallel_login\u003c/tt\u003e to \u003ctt\u003efalse\u003c/tt\u003e\u003c/li\u003e\u003cli\u003ereduce \u003ctt\u003emax_sessions\u003c/tt\u003e option\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "* set option parallel_login to false\n * reduce max_sessions option"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2025-48040",
"datePublished": "2025-09-11T08:14:19.671Z",
"dateReserved": "2025-05-15T08:40:25.455Z",
"dateUpdated": "2026-04-06T16:44:01.688Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-48039 (GCVE-0-2025-48039)
Vulnerability from cvelistv5
Published
2025-09-11 08:13
Modified
2026-04-07 14:38
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl.
This issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48039",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-11T13:30:44.440721Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T14:36:34.852Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"ssh_sftp"
],
"packageName": "ssh",
"packageURL": "pkg:otp/ssh?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"lib/ssh/src/ssh_sftpd.erl"
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "5.3.3",
"status": "unaffected"
},
{
"at": "5.2.11.3",
"status": "unaffected"
},
{
"at": "5.1.4.12",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "3.0.1",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"ssh_sftp"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/ssh/src/ssh_sftpd.erl"
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "28.0.3",
"status": "unaffected"
},
{
"at": "27.3.4.3",
"status": "unaffected"
},
{
"at": "26.2.5.15",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "17.0",
"versionType": "otp"
},
{
"changes": [
{
"at": "c242e6458967e9514bea351814151695807a54ac",
"status": "unaffected"
},
{
"at": "043ee3c943e2977c1acdd740ad13992fd60b6bf0",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "07b8f441ca711f9812fad9e9115bab3c3aa92f79",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The SFTP subsystem must be enabled on the SSH server and the SSH port must be reachable by the attacker. SFTP is enabled by default unless explicitly disabled by setting \u003ctt\u003e{subsystems, []}\u003c/tt\u003e in the SSH daemon configuration."
}
],
"value": "The SFTP subsystem must be enabled on the SSH server and the SSH port must be reachable by the attacker. SFTP is enabled by default unless explicitly disabled by setting {subsystems, []} in the SSH daemon configuration."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "26.2.5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.3",
"versionStartIncluding": "27.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.0.3",
"versionStartIncluding": "28.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "remediation developer",
"value": "Jakub Witczak"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Ingela Andin"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003elib/ssh/src/ssh_sftpd.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.\u003c/p\u003e"
}
],
"value": "Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl.\n\nThis issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
},
{
"capecId": "CAPEC-131",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-131 Resource Leak Exposure"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:38:01.049Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-rr5p-6856-j7h8"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2025-48039.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2025-48039"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/pull/10155"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/c242e6458967e9514bea351814151695807a54ac"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/043ee3c943e2977c1acdd740ad13992fd60b6bf0"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Unverified Paths can Cause Excessive Use of System Resources",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003eDisable \u003ctt\u003esftp\u003c/tt\u003e\u003c/li\u003e\u003cli\u003elimiting number of \u003ctt\u003emax_sessions\u003c/tt\u003e allowed for \u003ctt\u003esshd\u003c/tt\u003e, so exploiting becomes more complicated\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "* Disable sftp\n * limiting number of max_sessions allowed for sshd, so exploiting becomes more complicated"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2025-48039",
"datePublished": "2025-09-11T08:13:36.878Z",
"dateReserved": "2025-05-15T08:36:04.576Z",
"dateUpdated": "2026-04-07T14:38:01.049Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-48038 (GCVE-0-2025-48038)
Vulnerability from cvelistv5
Published
2025-09-11 08:13
Modified
2026-04-07 14:37
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl.
This issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48038",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-11T13:30:56.648005Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T14:36:40.748Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"ssh_sftp"
],
"packageName": "ssh",
"packageURL": "pkg:otp/ssh?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"lib/ssh/src/ssh_sftpd.erl"
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "5.3.3",
"status": "unaffected"
},
{
"at": "5.2.11.3",
"status": "unaffected"
},
{
"at": "5.1.4.12",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "3.0.1",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"ssh_sftp"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/ssh/src/ssh_sftpd.erl"
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "28.0.3",
"status": "unaffected"
},
{
"at": "27.3.4.3",
"status": "unaffected"
},
{
"at": "26.2.5.15",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "17.0",
"versionType": "otp"
},
{
"changes": [
{
"at": "4e3bf86777ab3db7220c11d8ddabf15970ddd10a",
"status": "unaffected"
},
{
"at": "f09e0201ff701993dc24a08f15e524daf72db42f",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "07b8f441ca711f9812fad9e9115bab3c3aa92f79",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The SFTP subsystem must be enabled on the SSH server and the SSH port must be reachable by the attacker. SFTP is enabled by default unless explicitly disabled by setting \u003ctt\u003e{subsystems, []}\u003c/tt\u003e in the SSH daemon configuration."
}
],
"value": "The SFTP subsystem must be enabled on the SSH server and the SSH port must be reachable by the attacker. SFTP is enabled by default unless explicitly disabled by setting {subsystems, []} in the SSH daemon configuration."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "26.2.5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.3",
"versionStartIncluding": "27.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.0.3",
"versionStartIncluding": "28.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "remediation developer",
"value": "Jakub Witczak"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Ingela Andin"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003elib/ssh/src/ssh_sftpd.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.\u003c/p\u003e"
}
],
"value": "Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl.\n\nThis issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
},
{
"capecId": "CAPEC-131",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-131 Resource Leak Exposure"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:37:59.826Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-pvj7-9652-7h9r"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2025-48038.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2025-48038"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/pull/10156"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/4e3bf86777ab3db7220c11d8ddabf15970ddd10a"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/f09e0201ff701993dc24a08f15e524daf72db42f"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Unverified File Handles can Cause Excessive Use of System Resources",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003eDisable \u003ctt\u003esftp\u003c/tt\u003e\u003c/li\u003e\u003cli\u003elimiting number of \u003ctt\u003emax_sessions\u003c/tt\u003e allowed for \u003ctt\u003esshd\u003c/tt\u003e, so exploiting becomes more complicated\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "* Disable sftp\n * limiting number of max_sessions allowed for sshd, so exploiting becomes more complicated"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2025-48038",
"datePublished": "2025-09-11T08:13:04.030Z",
"dateReserved": "2025-05-15T08:36:04.576Z",
"dateUpdated": "2026-04-07T14:37:59.826Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-4748 (GCVE-0-2025-4748)
Vulnerability from cvelistv5
Published
2025-06-16 11:00
Modified
2026-04-06 16:44
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (stdlib modules) allows Absolute Path Traversal, File Manipulation. This vulnerability is associated with program files lib/stdlib/src/zip.erl and program routines zip:unzip/1, zip:unzip/2, zip:extract/1, zip:extract/2Â unless the memory option is passed.
This issue affects OTP from OTP 17.0 until OTPÂ 28.0.1, OTPÂ 27.3.4.1 and OTPÂ 26.2.5.13, corresponding to stdlib from 2.0 until 7.0.1, 6.2.2.1 and 5.2.3.4.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4748",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-16T15:10:47.019511Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-16T15:33:34.557Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-06-16T20:03:21.484Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/06/16/5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"stdlib"
],
"packageName": "stdlib",
"packageURL": "pkg:otp/stdlib?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"lib/stdlib/src/zip.erl"
],
"programRoutines": [
{
"name": "zip:unzip/1"
},
{
"name": "zip:unzip/2"
},
{
"name": "zip:extract/1"
},
{
"name": "zip:extract/2"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "7.0.1",
"status": "unaffected"
},
{
"at": "6.2.2.1",
"status": "unaffected"
},
{
"at": "5.2.3.4",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "2.0",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"stdlib"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/stdlib/src/zip.erl"
],
"programRoutines": [
{
"name": "zip:unzip/1"
},
{
"name": "zip:unzip/2"
},
{
"name": "zip:extract/1"
},
{
"name": "zip:extract/2"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "28.0.1",
"status": "unaffected"
},
{
"at": "27.3.4.1",
"status": "unaffected"
},
{
"at": "26.2.5.13",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "17.0",
"versionType": "otp"
},
{
"changes": [
{
"at": "d9454dbccbaaad4b8796095c8e653b71b066dfaf",
"status": "unaffected"
},
{
"at": "9b7b5431260e05a16eec3ecd530a232d0995d932",
"status": "unaffected"
},
{
"at": "0ac548b57c0491196c27e39518b5f6acf9326c1e",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "07b8f441ca711f9812fad9e9115bab3c3aa92f79",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "26.2.5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.1",
"versionStartIncluding": "27.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.0.1",
"versionStartIncluding": "28.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Wander Nauta"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lukas Backstr\u00f6m"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Bj\u00f6rn Gustavsson"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in Erlang OTP (stdlib modules) allows Absolute Path Traversal, File Manipulation.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003elib/stdlib/src/zip.erl\u003c/tt\u003e and program routines \u003ctt\u003ezip:unzip/1\u003c/tt\u003e, \u003ctt\u003ezip:unzip/2\u003c/tt\u003e, \u003ctt\u003ezip:extract/1\u003c/tt\u003e, \u003ctt\u003ezip:extract/2\u003c/tt\u003e\u003ctt\u003e\u0026nbsp;\u003c/tt\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eunless the \u003ctt\u003ememory\u003c/tt\u003e option is passed.\u003c/span\u003e\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 until OTP\u0026nbsp;28.0.1, OTP\u0026nbsp;27.3.4.1 and OTP\u0026nbsp;26.2.5.13, corresponding to stdlib from 2.0 until 7.0.1, 6.2.2.1 and 5.2.3.4.\u003c/p\u003e"
}
],
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in Erlang OTP (stdlib modules) allows Absolute Path Traversal, File Manipulation. This vulnerability is associated with program files lib/stdlib/src/zip.erl and program routines zip:unzip/1, zip:unzip/2, zip:extract/1, zip:extract/2\u00a0unless the memory option is passed.\n\nThis issue affects OTP from OTP 17.0 until OTP\u00a028.0.1, OTP\u00a027.3.4.1 and OTP\u00a026.2.5.13, corresponding to stdlib from 2.0 until 7.0.1, 6.2.2.1 and 5.2.3.4."
}
],
"impacts": [
{
"capecId": "CAPEC-597",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-597 Absolute Path Traversal"
}
]
},
{
"capecId": "CAPEC-165",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-165 File Manipulation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T16:44:04.139Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-9g37-pgj9-wrhc"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2025-4748.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2025-4748"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/pull/9941"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/5a55feec10c9b69189d56723d8f237afa58d5d4f"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/ba2f2bc5f45fcfd2d6201ba07990a678bbf4cc8f"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/578d4001575aa7647ea1efd4b2b7e3afadcc99a5"
}
],
"source": {
"discovery": "USER"
},
"title": "Absolute path traversal in zip:unzip/1,2",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eYou can use \u003c/span\u003e\u003ccode\u003ezip:list_dir/1\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;on the archive and verify that no files contain absolute paths before extracting the archive to disk.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "You can use zip:list_dir/1\u00a0on the archive and verify that no files contain absolute paths before extracting the archive to disk."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2025-4748",
"datePublished": "2025-06-16T11:00:54.643Z",
"dateReserved": "2025-05-15T08:36:54.783Z",
"dateUpdated": "2026-04-06T16:44:04.139Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-46712 (GCVE-0-2025-46712)
Vulnerability from cvelistv5
Published
2025-05-08 19:26
Modified
2026-01-12 14:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-440 - Expected Behavior Violation
Summary
Erlang/OTP is a set of libraries for the Erlang programming language. In versions prior to OTP-27.3.4 (for OTP-27), OTP-26.2.5.12 (for OTP-26), and OTP-25.3.2.21 (for OTP-25), Erlang/OTP SSH fails to enforce strict KEX handshake hardening measures by allowing optional messages to be exchanged. This allows a Man-in-the-Middle attacker to inject these messages in a connection during the handshake. This issue has been patched in versions OTP-27.3.4 (for OTP-27), OTP-26.2.5.12 (for OTP-26), and OTP-25.3.2.21 (for OTP-25).
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46712",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T20:02:52.990837Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-08T20:03:27.225Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "otp",
"vendor": "erlang",
"versions": [
{
"status": "affected",
"version": "\u003e= OTP 27.0, \u003c OTP 27.3.4"
},
{
"status": "affected",
"version": "\u003e= OTP 26.2.1, \u003c OTP 26.2.5.12"
},
{
"status": "affected",
"version": "\u003c OTP 25.3.2.21"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Erlang/OTP is a set of libraries for the Erlang programming language. In versions prior to OTP-27.3.4 (for OTP-27), OTP-26.2.5.12 (for OTP-26), and OTP-25.3.2.21 (for OTP-25), Erlang/OTP SSH fails to enforce strict KEX handshake hardening measures by allowing optional messages to be exchanged. This allows a Man-in-the-Middle attacker to inject these messages in a connection during the handshake. This issue has been patched in versions OTP-27.3.4 (for OTP-27), OTP-26.2.5.12 (for OTP-26), and OTP-25.3.2.21 (for OTP-25)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-440",
"description": "CWE-440: Expected Behavior Violation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-12T14:40:27.446Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/erlang/otp/security/advisories/GHSA-934x-xq38-hhqf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-934x-xq38-hhqf"
},
{
"name": "https://github.com/erlang/otp/commit/e4b56a9f4a511aa9990dd86c16c61439c828df83",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/erlang/otp/commit/e4b56a9f4a511aa9990dd86c16c61439c828df83"
},
{
"name": "https://github.com/erlang/otp/releases/tag/OTP-25.3.2.21",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/erlang/otp/releases/tag/OTP-25.3.2.21"
},
{
"name": "https://github.com/erlang/otp/releases/tag/OTP-26.2.5.12",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/erlang/otp/releases/tag/OTP-26.2.5.12"
},
{
"name": "https://github.com/erlang/otp/releases/tag/OTP-27.3.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/erlang/otp/releases/tag/OTP-27.3.4"
}
],
"source": {
"advisory": "GHSA-934x-xq38-hhqf",
"discovery": "UNKNOWN"
},
"title": "Erlang/OTP SSH Has Strict KEX Violations"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-46712",
"datePublished": "2025-05-08T19:26:27.563Z",
"dateReserved": "2025-04-28T20:56:09.082Z",
"dateUpdated": "2026-01-12T14:40:27.446Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-32433 (GCVE-0-2025-32433)
Vulnerability from cvelistv5
Published
2025-04-16 21:34
Modified
2026-02-26 18:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-306 - Missing Authentication for Critical Function
Summary
Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:53:28.075Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/04/16/2"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/04/18/1"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/04/18/2"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/04/18/6"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/04/19/1"
},
{
"url": "https://security.netapp.com/advisory/ntap-20250425-0001/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00028.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32433",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-20T03:55:59.410447Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-06-09",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32433"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T18:28:12.084Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/ProDefense/CVE-2025-32433/blob/main/CVE-2025-32433.py"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-erlang-otp-ssh-xyZZy"
},
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32433"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-06-09T00:00:00.000Z",
"value": "CVE-2025-32433 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "otp",
"vendor": "erlang",
"versions": [
{
"status": "affected",
"version": "\u003e= OTP-27.0-rc1, \u003c OTP-27.3.3"
},
{
"status": "affected",
"version": "\u003e= OTP-26.0-rc1, \u003c OTP-26.2.5.11"
},
{
"status": "affected",
"version": "\u003c OTP-25.3.2.20"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T21:34:37.457Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2"
},
{
"name": "https://github.com/erlang/otp/commit/0fcd9c56524b28615e8ece65fc0c3f66ef6e4c12",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/erlang/otp/commit/0fcd9c56524b28615e8ece65fc0c3f66ef6e4c12"
},
{
"name": "https://github.com/erlang/otp/commit/6eef04130afc8b0ccb63c9a0d8650209cf54892f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/erlang/otp/commit/6eef04130afc8b0ccb63c9a0d8650209cf54892f"
},
{
"name": "https://github.com/erlang/otp/commit/b1924d37fd83c070055beb115d5d6a6a9490b891",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/erlang/otp/commit/b1924d37fd83c070055beb115d5d6a6a9490b891"
}
],
"source": {
"advisory": "GHSA-37cp-fgq5-7wc2",
"discovery": "UNKNOWN"
},
"title": "Erlang/OTP SSH Vulnerable to Pre-Authentication RCE"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32433",
"datePublished": "2025-04-16T21:34:37.457Z",
"dateReserved": "2025-04-08T10:54:58.368Z",
"dateUpdated": "2026-02-26T18:28:12.084Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-30211 (GCVE-0-2025-30211)
Vulnerability from cvelistv5
Published
2025-03-28 14:55
Modified
2025-11-03 19:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-789 - Memory Allocation with Excessive Size Value
Summary
Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a maliciously formed KEX init message can result with high memory usage. Implementation does not verify RFC specified limits on algorithm names (64 characters) provided in KEX init message. Big KEX init packet may lead to inefficient processing of the error data. As a result, large amount of memory will be allocated for processing malicious data. Versions OTP-27.3.1, OTP-26.2.5.10, and OTP-25.3.2.19 fix the issue. Some workarounds are available. One may set option `parallel_login` to `false` and/or reduce the `max_sessions` option.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30211",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-28T15:10:23.043937Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T15:10:37.128Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:46:46.745Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "otp",
"vendor": "erlang",
"versions": [
{
"status": "affected",
"version": "\u003c OTP-27.3.1"
},
{
"status": "affected",
"version": "\u003c OTP-26.2.5.10"
},
{
"status": "affected",
"version": "\u003c OTP-25.3.2.19"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a maliciously formed KEX init message can result with high memory usage. Implementation does not verify RFC specified limits on algorithm names (64 characters) provided in KEX init message. Big KEX init packet may lead to inefficient processing of the error data. As a result, large amount of memory will be allocated for processing malicious data. Versions OTP-27.3.1, OTP-26.2.5.10, and OTP-25.3.2.19 fix the issue. Some workarounds are available. One may set option `parallel_login` to `false` and/or reduce the `max_sessions` option."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789: Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T14:55:47.778Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/erlang/otp/security/advisories/GHSA-vvr3-fjhh-cfwc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-vvr3-fjhh-cfwc"
}
],
"source": {
"advisory": "GHSA-vvr3-fjhh-cfwc",
"discovery": "UNKNOWN"
},
"title": "KEX init error results with excessive memory usage"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-30211",
"datePublished": "2025-03-28T14:55:47.778Z",
"dateReserved": "2025-03-18T18:15:13.850Z",
"dateUpdated": "2025-11-03T19:46:46.745Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-26618 (GCVE-0-2025-26618)
Vulnerability from cvelistv5
Published
2025-02-20 19:04
Modified
2025-11-03 19:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-789 - Memory Allocation with Excessive Size Value
Summary
Erlang is a programming language and runtime system for building massively scalable soft real-time systems with requirements on high availability. OTP is a set of Erlang libraries, which consists of the Erlang runtime system, a number of ready-to-use components mainly written in Erlang. Packet size is not verified properly for SFTP packets. As a result when multiple SSH packets (conforming to max SSH packet size) are received by ssh, they might be combined into an SFTP packet which will exceed the max allowed packet size and potentially cause large amount of memory to be allocated. Note that situation described above can only happen for successfully authenticated users after completing the SSH handshake. This issue has been patched in OTP versions 27.2.4, 26.2.5.9, and 25.3.2.18. There are no known workarounds for this vulnerability.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-26618",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T20:55:12.631567Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T20:55:45.723Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://erlang.org/download/OTP-27.2.4.README.md"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:45:28.601Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "otp",
"vendor": "erlang",
"versions": [
{
"status": "affected",
"version": "\u003e= OTP-27.0.0, \u003c OTP-27.2.4"
},
{
"status": "affected",
"version": "\u003e= OTP-26.0.0.0, \u003c OTP-26.2.5.9"
},
{
"status": "affected",
"version": "\u003c OTP-25.3.2.18"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Erlang is a programming language and runtime system for building massively scalable soft real-time systems with requirements on high availability. OTP is a set of Erlang libraries, which consists of the Erlang runtime system, a number of ready-to-use components mainly written in Erlang. Packet size is not verified properly for SFTP packets. As a result when multiple SSH packets (conforming to max SSH packet size) are received by ssh, they might be combined into an SFTP packet which will exceed the max allowed packet size and potentially cause large amount of memory to be allocated. Note that situation described above can only happen for successfully authenticated users after completing the SSH handshake. This issue has been patched in OTP versions 27.2.4, 26.2.5.9, and 25.3.2.18. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789: Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T19:05:07.412Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/erlang/otp/security/advisories/GHSA-78cv-45vx-q6fr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-78cv-45vx-q6fr"
},
{
"name": "https://github.com/erlang/otp/commit/0ed2573cbd55c92e9125c9dc70fa1ca7fed82872",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/erlang/otp/commit/0ed2573cbd55c92e9125c9dc70fa1ca7fed82872"
}
],
"source": {
"advisory": "GHSA-78cv-45vx-q6fr",
"discovery": "UNKNOWN"
},
"title": "SSH SFTP packet size not verified properly in Erlang OTP"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-26618",
"datePublished": "2025-02-20T19:04:54.691Z",
"dateReserved": "2025-02-12T14:51:02.719Z",
"dateUpdated": "2025-11-03T19:45:28.601Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-53846 (GCVE-0-2024-53846)
Vulnerability from cvelistv5
Published
2024-12-05 17:02
Modified
2024-12-06 16:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-295 - Improper Certificate Validation
Summary
OTP is a set of Erlang libraries, which consists of the Erlang runtime system, a number of ready-to-use components mainly written in Erlang, and a set of design principles for Erlang programs. A regression was introduced into the ssl application of OTP starting at OTP-25.3.2.8, OTP-26.2, and OTP-27.0, resulting in a server or client verifying the peer when incorrect extended key usage is presented (i.e., a server will verify a client if they have server auth ext key usage and vice versa).
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "otp",
"vendor": "erlang",
"versions": [
{
"lessThanOrEqual": "25.3.2.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-53846",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-06T16:04:29.566469Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T16:26:57.528Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "otp",
"vendor": "erlang",
"versions": [
{
"status": "affected",
"version": "\u003e= 25.3.2.8, \u003c= 25.3.2.16"
},
{
"status": "affected",
"version": "\u003e= 26.2, \u003c= 26.2.5.6"
},
{
"status": "affected",
"version": "\u003e= 27.0, \u003c= 27.1.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OTP is a set of Erlang libraries, which consists of the Erlang runtime system, a number of ready-to-use components mainly written in Erlang, and a set of design principles for Erlang programs. A regression was introduced into the ssl application of OTP starting at OTP-25.3.2.8, OTP-26.2, and OTP-27.0, resulting in a server or client verifying the peer when incorrect extended key usage is presented (i.e., a server will verify a client if they have server auth ext key usage and vice versa)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295: Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-05T17:02:59.370Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/erlang/otp/security/advisories/GHSA-qw6r-qh9v-638v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-qw6r-qh9v-638v"
}
],
"source": {
"advisory": "GHSA-qw6r-qh9v-638v",
"discovery": "UNKNOWN"
},
"title": "ssl fails to validate incorrect extened key usage"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-53846",
"datePublished": "2024-12-05T17:02:59.370Z",
"dateReserved": "2024-11-22T17:30:02.140Z",
"dateUpdated": "2024-12-06T16:26:57.528Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}