CVE-2025-48040 is a vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling) affecting the ssh_sftp modules within the Erlang Open Telecom Platform (OTP). The affected versions span from OTP 17.0 up to OTP 28.0.3, including specific ssh package versions from 3.0.1 through 5.3.3 and their minor revisions. The vulnerability resides in the ssh_sftpd.erl source file, which implements the SSH SFTP server functionality. An attacker can exploit this flaw by sending specially crafted requests that cause the ssh_sftp daemon to allocate excessive memory or CPU resources without proper limits or throttling mechanisms. This uncontrolled resource consumption can lead to service degradation or denial of service (DoS) by exhausting system resources such as memory or CPU cycles. The vulnerability is remotely exploitable over the network without requiring authentication or user interaction, increasing its risk profile. The CVSS v4.0 base score is 6.9, indicating a medium severity level, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The impact is primarily on availability (VA:L), with no direct confidentiality or integrity impact. No known public exploits have been reported yet, but the widespread use of Erlang OTP in telecom, messaging systems, and backend services makes this a significant concern. The lack of patch links suggests that fixes may be forthcoming or in development. This vulnerability underscores the need for robust resource management in network-facing services to prevent denial-of-service conditions caused by resource exhaustion.

The primary impact of CVE-2025-48040 is a denial-of-service condition caused by uncontrolled resource consumption in the Erlang OTP ssh_sftp server. Organizations running vulnerable versions of Erlang OTP in production environments may experience service outages or degraded performance when subjected to exploitation attempts. This can disrupt critical services relying on SSH and SFTP for secure file transfers, including telecom infrastructure, distributed messaging platforms, and backend systems. The vulnerability can be exploited remotely without authentication, increasing the attack surface and risk of automated attacks or scanning. Prolonged exploitation could lead to resource exhaustion, impacting availability and potentially causing cascading failures in dependent systems. While no direct confidentiality or integrity compromise is indicated, the loss of availability can have severe operational and financial consequences, especially for service providers and enterprises with high uptime requirements. The lack of known exploits in the wild currently reduces immediate risk, but the medium severity score and ease of exploitation warrant proactive mitigation. Organizations failing to address this vulnerability may face increased risk of targeted or opportunistic denial-of-service attacks, impacting customer trust and regulatory compliance.

1. Monitor and limit resource usage: Implement monitoring of CPU, memory, and network usage for ssh_sftp services to detect abnormal spikes indicative of exploitation attempts. 2. Connection throttling: Configure limits on the number of concurrent ssh_sftp connections and rate-limit incoming requests to reduce the risk of flooding. 3. Network segmentation and firewall rules: Restrict access to ssh_sftp services to trusted networks or IP ranges to minimize exposure. 4. Apply patches promptly: Stay updated with Erlang OTP vendor releases and apply security patches as soon as they become available to remediate the vulnerability. 5. Use alternative secure file transfer methods: Where feasible, consider using other secure file transfer protocols or implementations with better resource management until patches are applied. 6. Conduct regular security assessments: Perform penetration testing and vulnerability scanning focused on resource exhaustion vectors to identify weaknesses. 7. Implement failover and redundancy: Design systems to gracefully handle service disruptions caused by resource exhaustion to maintain availability. 8. Harden Erlang OTP configurations: Review and adjust OTP ssh_sftp module configurations to enforce stricter resource limits and timeouts. These measures combined will reduce the attack surface and mitigate the risk of denial-of-service caused by this vulnerability.