CVE-2025-48038: 
Erlang OTP vulnerability analysis and mitigation

CVE-2025-48038 is a vulnerability in the SSH/SFTP implementation of Erlang/OTP discovered and disclosed on September 10, 2025. The vulnerability affects all versions of OTP from 17.0 onwards and ssh versions >= 3.0.1. The issue allows authenticated SFTP users to potentially cause excessive CPU and memory usage on the server side by exploiting unverified file handles (GitHub Advisory).

The vulnerability stems from the SFTP server's failure to properly validate file handle sizes. According to the SFTP specification (draft-ietf-secsh-filexfer-02), file handle strings must not exceed 256 bytes. The vulnerability exists in the handling of SFTP operations including CLOSE, FSETSTAT, FSTAT, READ, READDIR, and WRITE commands when processing file handles. The issue has been assigned a CVSS v4.0 score of 5.3 (Moderate) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N (GitHub Advisory).

When exploited, this vulnerability can lead to excessive CPU and memory consumption on systems running the affected versions of Erlang/OTP's SSH/SFTP server. This resource exhaustion can potentially affect system stability and availability of the server (GitHub Advisory).

The vulnerability has been patched in OTP versions 28.0.3, 27.3.4.3, and 26.2.5.15, and ssh versions 5.3.3, 5.2.11.3, and 5.1.4.12. For systems that cannot immediately update, temporary workarounds include disabling SFTP functionality or limiting the number of maximum SSH sessions allowed for sshd to complicate exploitation attempts (GitHub Advisory).