CVE-2025-48038: 
CBL Mariner vulnerability analysis and mitigation

A vulnerability (CVE-2025-48038) was discovered in Erlang OTP ssh (ssh_sftp modules) that allows Excessive Allocation and Resource Leak Exposure. The vulnerability affects OTP versions from OTP 17.0 up to OTP 28.0.3, OTP 27.3.4.3, and 26.2.5.15, corresponding to ssh versions from 3.0.1 up to 5.3.3, 5.2.11.3, and 5.1.4.12. The issue was disclosed on September 11, 2025 (NVD).

The vulnerability is related to unverified file handles in the SFTP implementation where the system fails to properly validate handle sizes. According to the SFTP specification, file handle strings must not exceed 256 bytes, but this limitation was not enforced, leading to potential resource consumption issues. The vulnerability has been assigned a CVSS v4.0 base score of 5.3 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N (GHSA Advisory).

When exploited, this vulnerability can lead to excessive CPU and memory usage by authenticated SFTP users, potentially affecting system stability. The impact is primarily on the availability of the vulnerable system, while confidentiality and integrity remain unaffected (GHSA Advisory).

Two primary workarounds are available before applying the patch: 1) Disabling SFTP functionality completely, or 2) Limiting the number of max_sessions allowed for sshd to make exploitation more complicated. For a permanent fix, users should upgrade to the patched versions: OTP 28.0.3, 27.3.4.3, or 26.2.5.15, which correspond to ssh versions 5.3.3, 5.2.11.3, or 5.1.4.12 respectively (GHSA Advisory).