CVE-2025-48039: 
CBL Mariner vulnerability analysis and mitigation

A resource exhaustion vulnerability (CVE-2025-48039) was discovered in Erlang OTP's SSH SFTP module, specifically affecting the ssh_sftp modules. The vulnerability was disclosed on September 11, 2025, and affects OTP versions from 17.0 up to 28.0.3, 27.3.4.3, and 26.2.5.15, corresponding to SSH versions from 3.0.1 up to 5.3.3, 5.2.11.3, and 5.1.4.12. The vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl (NVD, GitHub Advisory).

The vulnerability is classified as an Allocation of Resources Without Limits or Throttling issue (CWE-770) and Uncontrolled Resource Consumption (CWE-400). It has been assigned a CVSS v4.0 base score of 5.3 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N. The vulnerability specifically relates to unverified paths in the SFTP module that can lead to excessive resource allocation and potential resource leaks (GitHub Advisory).

When exploited, this vulnerability can lead to excessive CPU and memory usage by authenticated SFTP users, potentially affecting system stability. This is specifically a server-side vulnerability that could impact the availability of the system resources (GitHub Advisory).

Two primary workarounds are available: disabling SFTP functionality or limiting the number of max_sessions allowed for sshd to make exploitation more complicated. For permanent remediation, users should upgrade to the patched versions: OTP 28.0.3, 27.3.4.3, or 26.2.5.15, or SSH versions 5.3.3, 5.2.11.3, or 5.1.4.12 (GitHub Advisory).