CVE-2025-48040: 
Erlang OTP vulnerability analysis and mitigation

CVE-2025-48040 is a vulnerability in Erlang OTP's SSH implementation that affects versions from 17.0 onwards until versions 28.0.3, 27.3.4.3, and 26.2.5.15 (for OTP) and versions 5.3.3, 5.2.11.3, and 5.1.4.12 (for ssh component). The vulnerability was discovered and disclosed on September 10, 2025. The issue allows malicious key exchange messages to lead to excessive CPU and memory usage due to overly tolerant handling of data received from unauthenticated users (GHSA Advisory).

The vulnerability stems from two main issues in the SSH key exchange implementation: 1) Processing of an excessive number of validly sized algorithms specified in the KEXINIT message, and 2) Handling of cryptographic parameters with excessive size that cause cryptographic operations to generate unusually large exception data, which is then unnecessarily processed. The vulnerability has been assigned a CVSS v4.0 score of 6.9 (Moderate) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N (GHSA Advisory).

When exploited, this vulnerability can lead to excessive CPU and memory resource consumption on affected systems. The impact primarily affects system availability through resource exhaustion, though there are no direct impacts on system confidentiality or integrity (GHSA Advisory).

Two temporary workarounds are available before applying the patch: 1) Set the option 'parallellogin' to false, and 2) Reduce the 'maxsessions' option. For a permanent fix, users should upgrade to the patched versions: OTP versions 28.0.3, 27.3.4.3, or 26.2.5.15, or ssh component versions 5.3.3, 5.2.11.3, or 5.1.4.12 (GHSA Advisory).