CVE-2025-48040: 
CBL Mariner vulnerability analysis and mitigation

A vulnerability (CVE-2025-48040) was discovered in Erlang OTP's SSH implementation (ssh_sftp modules) that allows for Uncontrolled Resource Consumption through Excessive Allocation and Flooding. The vulnerability affects OTP versions from 17.0 up to 28.0.3, 27.3.4.3, and 26.2.5.15, corresponding to SSH versions from 3.0.1 up to 5.3.3, 5.2.11.3, and 5.1.4.12. The issue was disclosed on September 11, 2025 (NVD, GitHub Advisory).

The vulnerability stems from overly tolerant handling of data received from unauthenticated users during key exchange. The issue manifests in two ways: through processing of a large number of validly sized algorithms specified in the KEXINIT message, and through cryptographic parameters with excessive size that generate unusually large exception data. The vulnerability has been assigned a CVSS v4.0 Base Score of 6.9 (Medium) with vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N (GitHub Advisory).

When exploited, this vulnerability can lead to excessive CPU and memory usage on affected systems. The impact is primarily focused on resource consumption, potentially affecting system availability, though no direct impact on confidentiality or integrity has been identified (GitHub Advisory).

Two temporary workarounds are available: setting the option 'parallel_login' to false and reducing the 'max_sessions' option. For a permanent fix, users should upgrade to the patched versions: OTP 28.0.3, 27.3.4.3, or 26.2.5.15, which correspond to SSH versions 5.3.3, 5.2.11.3, or 5.1.4.12 respectively (GitHub Advisory).