CVE-2025-48039 is a resource allocation vulnerability identified in the Erlang OTP ssh component, specifically within the ssh_sftp modules (lib/ssh/src/ssh_sftpd.erl). The flaw arises from the allocation of resources without proper limits or throttling, categorized under CWE-770 (Allocation of Resources Without Limits or Throttling) and CWE-400 (Uncontrolled Resource Consumption). This vulnerability affects a broad range of Erlang OTP versions, from OTP 17.0 through OTP 28.0.3, including specific patch versions such as OTP 27.3.4.3 and 26.2.5.15, and ssh versions from 3.0.1 up to 5.3.3 and related sub-versions. The vulnerability allows an attacker to cause excessive resource allocation or resource leaks by exploiting the ssh_sftp server implementation, potentially leading to denial of service (DoS) conditions. The CVSS 4.0 base score is 5.3 (medium severity), reflecting that the attack vector is network-based (AV:N), requires low attack complexity (AC:L), no privileges (PR:L) but with limited privileges, no user interaction (UI:N), and impacts availability to a low extent (VA:L). No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability does not affect confidentiality or integrity directly but can degrade service availability by exhausting system resources, which can disrupt services relying on Erlang OTP ssh, including telecom infrastructure, messaging systems, and distributed applications that use Erlang's robust concurrency model.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on Erlang OTP in critical infrastructure, telecommunications (notably Ericsson and other telecom vendors using Erlang), and distributed systems. Exploitation could lead to denial of service by exhausting server resources, causing service outages or degraded performance. This can affect service providers, financial institutions, and enterprises with Erlang-based backend systems, potentially disrupting business operations and customer services. Given Erlang's widespread use in telecom and messaging platforms, outages could cascade, impacting communication services and real-time data processing. The medium severity rating suggests that while the vulnerability is not trivially exploitable to cause full system compromise, it can still cause operational disruptions. European organizations with high availability requirements and those in regulated sectors (finance, healthcare, telecom) may face compliance and reputational risks if affected by service disruptions.

Organizations should proactively identify Erlang OTP versions in use, especially those running ssh_sftp modules. Immediate mitigation steps include implementing network-level rate limiting and connection throttling to reduce the risk of resource exhaustion from malicious or malformed ssh_sftp requests. Monitoring resource usage on Erlang nodes and setting up alerts for unusual spikes can help detect exploitation attempts early. Applying any vendor-provided patches or updates as soon as they become available is critical. In the absence of patches, consider isolating vulnerable services behind firewalls or VPNs to restrict access to trusted users only. Additionally, reviewing and hardening ssh_sftp configuration to limit concurrent sessions and resource allocation per session can reduce exposure. For telecom operators and service providers, coordination with Erlang OTP maintainers and vendors is advised to receive timely updates and guidance. Finally, conducting penetration testing and resilience assessments focused on resource exhaustion scenarios can help validate defenses.