CVE-2025-48039 is a resource allocation vulnerability categorized under CWE-770 (Allocation of Resources Without Limits or Throttling) and CWE-400 (Uncontrolled Resource Consumption) affecting the Erlang Open Telecom Platform (OTP), specifically within the ssh_sftp modules. The flaw exists in the ssh_sftpd.erl source file, where the system fails to impose limits or throttling on resource allocation during SSH or SFTP operations. This can lead to excessive allocation of memory or other resources, resulting in resource leaks and potential exhaustion. The affected OTP versions range from 17.0 up to 28.0.3, including specific patch versions of OTP 27 and 26, and corresponding ssh package versions from 3.0.1 to 5.3.3. The vulnerability can be exploited remotely without authentication or user interaction, making it accessible to unauthenticated attackers over the network. Exploitation could cause denial of service by exhausting server resources, impacting availability of services relying on Erlang OTP's SSH/SFTP components. The CVSS 4.0 base score is 5.3, reflecting medium severity due to network vector, low complexity, no privileges required, and limited impact on confidentiality and integrity but notable impact on availability. No public exploits have been reported yet, but the broad version range and network accessibility increase the risk of future exploitation. The vulnerability is particularly relevant for organizations using Erlang OTP in telecommunications, distributed systems, and cloud environments where SSH/SFTP services are critical.

The primary impact of CVE-2025-48039 is on the availability of systems running vulnerable versions of Erlang OTP's ssh_sftp modules. An attacker can remotely trigger excessive resource allocation, leading to resource exhaustion such as memory leaks or CPU saturation, which can cause denial of service (DoS). This can disrupt critical services that rely on Erlang OTP for secure shell or file transfer operations, potentially causing downtime and operational disruption. While confidentiality and integrity impacts are minimal, the availability impact can be significant, especially in high-availability environments like telecom infrastructure, cloud platforms, and financial services that depend on Erlang OTP. The vulnerability's ease of exploitation without authentication or user interaction increases the risk of automated attacks or large-scale exploitation attempts. Organizations with large Erlang OTP deployments may face increased operational costs and reputational damage if services are interrupted. Additionally, resource exhaustion could be leveraged as part of multi-stage attacks to facilitate further compromise or lateral movement.

To mitigate CVE-2025-48039, organizations should first apply any official patches or updates released by the Erlang OTP maintainers once available. In the absence of patches, administrators should implement resource limiting controls at the system and network levels. This includes configuring operating system-level resource limits (e.g., ulimit for memory and CPU usage) on processes running Erlang OTP services. Network-level rate limiting and connection throttling can reduce the risk of resource exhaustion from excessive SSH/SFTP requests. Monitoring resource usage and setting up alerts for unusual spikes in memory or CPU consumption related to ssh_sftp processes can enable early detection of exploitation attempts. Employing application-layer firewalls or intrusion prevention systems to detect and block abnormal SSH/SFTP traffic patterns may also help. Where feasible, isolating Erlang OTP SSH/SFTP services in dedicated environments or containers can limit the blast radius of an attack. Finally, reviewing and minimizing the exposure of SSH/SFTP services to untrusted networks reduces the attack surface. Detailed code review and testing of ssh_sftpd.erl for resource management improvements is recommended for long-term remediation.