CVE-2025-48039: 
Erlang OTP vulnerability analysis and mitigation

A resource exhaustion vulnerability (CVE-2025-48039) was discovered in Erlang OTP's SSH SFTP module, specifically affecting the sshsftpd component. The vulnerability was disclosed on September 11, 2025, and impacts OTP versions from 17.0 up to 28.0.3, 27.3.4.3, and 26.2.5.15, corresponding to SSH versions from 3.0.1 up to 5.3.3, 5.2.11.3, and 5.1.4.12. The issue is related to uncontrolled resource allocation in the lib/ssh/src/sshsftpd.erl program files (EEF Advisory).

The vulnerability is classified as an Allocation of Resources Without Limits or Throttling issue (CWE-770) and Uncontrolled Resource Consumption (CWE-400). It received a CVSS v4.0 Base Score of 5.3 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N. The issue specifically relates to unverified paths from authenticated SFTP users that can trigger excessive resource allocation and potential resource leaks (EEF Advisory).

When exploited, this vulnerability can lead to excessive CPU and memory usage on the server side, potentially affecting system stability. The impact is primarily focused on system availability, with no direct effect on confidentiality or integrity of the system (EEF Advisory).

Two primary workarounds are available before applying the patch: 1) disabling SFTP completely, or 2) limiting the number of max_sessions allowed for sshd to make exploitation more complicated. For a permanent fix, users should upgrade to the patched versions: OTP 28.0.3, 27.3.4.3, or 26.2.5.15, or SSH versions 5.3.3, 5.2.11.3, or 5.1.4.12 (EEF Advisory).