CVE-2025-46807: CWE-770: Allocation of Resources Without Limits or Throttling in https://github.com/yrutschle/sslh/releases/tag/v2.2.4 sslh
A Allocation of Resources Without Limits or Throttling vulnerability in sslh allows attackers to easily exhaust the file descriptors in sslh and deny legitimate users service.This issue affects sslh before 2.2.4.
AI Analysis
Technical Summary
CVE-2025-46807 is a high-severity vulnerability classified under CWE-770 (Allocation of Resources Without Limits or Throttling) affecting the sslh software prior to version 2.2.4. sslh is a protocol multiplexer that allows multiple protocols (such as HTTPS, SSH, OpenVPN) to share a single port, commonly used to simplify firewall configurations and service management. The vulnerability arises because sslh does not impose limits or throttling on resource allocation, specifically file descriptors, which are finite system resources representing open files or network sockets. An attacker can exploit this by initiating numerous connections or requests to sslh, causing it to exhaust its available file descriptors. Once exhausted, sslh cannot accept new legitimate connections, resulting in a denial of service (DoS) condition for users relying on the service. The CVSS 4.0 base score of 8.7 reflects the vulnerability's network attack vector (AV:N), low attack complexity (AC:L), no privileges or user interaction required (PR:N/UI:N), and a high impact on availability (VA:H), with no impact on confidentiality or integrity. No known exploits are currently reported in the wild, but the ease of exploitation and the critical nature of the impact make this a significant threat. The vulnerability affects all versions of sslh before 2.2.4, and the issue was publicly disclosed on June 2, 2025. Since sslh is often deployed in environments where multiple protocols are multiplexed over a single port, this vulnerability can disrupt critical network services and communications if exploited.
Potential Impact
For European organizations, the impact of CVE-2025-46807 can be substantial, especially for those relying on sslh to manage multiple protocol traffic through a single port. The exhaustion of file descriptors can lead to denial of service, disrupting access to essential services such as SSH for remote administration, HTTPS for web services, or VPN connections for secure remote access. This disruption can affect business continuity, remote work capabilities, and secure communications. Critical infrastructure providers, financial institutions, and government agencies in Europe that utilize sslh for service multiplexing may face operational outages, potentially leading to financial losses, reputational damage, and compliance issues under regulations such as GDPR. Additionally, the lack of authentication or user interaction required for exploitation means attackers can launch attacks remotely and anonymously, increasing the risk of widespread service disruption. While no data breach or integrity compromise is indicated, the availability impact alone can have cascading effects on dependent systems and services.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should immediately upgrade sslh to version 2.2.4 or later, where the resource allocation limits and throttling mechanisms have been implemented. In addition to patching, organizations should implement network-level protections such as rate limiting and connection throttling on firewalls or load balancers to restrict the number of simultaneous connections to sslh. Monitoring system metrics related to file descriptor usage and connection counts can provide early warning signs of potential exhaustion attacks. Employing intrusion detection systems (IDS) or anomaly detection tools to identify unusual spikes in connection attempts can help in proactive defense. Furthermore, organizations should review and harden system limits on file descriptors (ulimit settings) to ensure that sslh operates within safe resource boundaries. Where feasible, segmenting services and reducing reliance on multiplexing critical protocols through a single port can reduce the attack surface. Finally, maintaining an incident response plan that includes DoS attack scenarios will improve readiness to respond to exploitation attempts.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain, Poland
CVE-2025-46807: CWE-770: Allocation of Resources Without Limits or Throttling in https://github.com/yrutschle/sslh/releases/tag/v2.2.4 sslh
Description
A Allocation of Resources Without Limits or Throttling vulnerability in sslh allows attackers to easily exhaust the file descriptors in sslh and deny legitimate users service.This issue affects sslh before 2.2.4.
AI-Powered Analysis
Technical Analysis
CVE-2025-46807 is a high-severity vulnerability classified under CWE-770 (Allocation of Resources Without Limits or Throttling) affecting the sslh software prior to version 2.2.4. sslh is a protocol multiplexer that allows multiple protocols (such as HTTPS, SSH, OpenVPN) to share a single port, commonly used to simplify firewall configurations and service management. The vulnerability arises because sslh does not impose limits or throttling on resource allocation, specifically file descriptors, which are finite system resources representing open files or network sockets. An attacker can exploit this by initiating numerous connections or requests to sslh, causing it to exhaust its available file descriptors. Once exhausted, sslh cannot accept new legitimate connections, resulting in a denial of service (DoS) condition for users relying on the service. The CVSS 4.0 base score of 8.7 reflects the vulnerability's network attack vector (AV:N), low attack complexity (AC:L), no privileges or user interaction required (PR:N/UI:N), and a high impact on availability (VA:H), with no impact on confidentiality or integrity. No known exploits are currently reported in the wild, but the ease of exploitation and the critical nature of the impact make this a significant threat. The vulnerability affects all versions of sslh before 2.2.4, and the issue was publicly disclosed on June 2, 2025. Since sslh is often deployed in environments where multiple protocols are multiplexed over a single port, this vulnerability can disrupt critical network services and communications if exploited.
Potential Impact
For European organizations, the impact of CVE-2025-46807 can be substantial, especially for those relying on sslh to manage multiple protocol traffic through a single port. The exhaustion of file descriptors can lead to denial of service, disrupting access to essential services such as SSH for remote administration, HTTPS for web services, or VPN connections for secure remote access. This disruption can affect business continuity, remote work capabilities, and secure communications. Critical infrastructure providers, financial institutions, and government agencies in Europe that utilize sslh for service multiplexing may face operational outages, potentially leading to financial losses, reputational damage, and compliance issues under regulations such as GDPR. Additionally, the lack of authentication or user interaction required for exploitation means attackers can launch attacks remotely and anonymously, increasing the risk of widespread service disruption. While no data breach or integrity compromise is indicated, the availability impact alone can have cascading effects on dependent systems and services.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should immediately upgrade sslh to version 2.2.4 or later, where the resource allocation limits and throttling mechanisms have been implemented. In addition to patching, organizations should implement network-level protections such as rate limiting and connection throttling on firewalls or load balancers to restrict the number of simultaneous connections to sslh. Monitoring system metrics related to file descriptor usage and connection counts can provide early warning signs of potential exhaustion attacks. Employing intrusion detection systems (IDS) or anomaly detection tools to identify unusual spikes in connection attempts can help in proactive defense. Furthermore, organizations should review and harden system limits on file descriptors (ulimit settings) to ensure that sslh operates within safe resource boundaries. Where feasible, segmenting services and reducing reliance on multiplexing critical protocols through a single port can reduce the attack surface. Finally, maintaining an incident response plan that includes DoS attack scenarios will improve readiness to respond to exploitation attempts.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- suse
- Date Reserved
- 2025-04-30T11:28:04.728Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 683d9584182aa0cae242f8ae
Added to database: 6/2/2025, 12:13:56 PM
Last enriched: 7/11/2025, 8:03:15 AM
Last updated: 8/14/2025, 2:53:01 PM
Views: 17
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.