The vulnerability arises because the ftp_internal:handle_ctrl_result/2 PASV handler extracts the IP address from the FTP server's 227 response and uses it directly in gen_tcp:connect/4 without validating it against the control connection's peer address, violating RFC 2577 recommendations. This allows a malicious or compromised FTP server to redirect the client's data connection to arbitrary internal hosts and ports. The adjacent EPSV handlers correctly validate the IP, but the PASV handler does not. This flaw enables SSRF attacks and FTP bounce attacks via the vulnerable ftp module in Erlang/OTP. Affected versions include OTP 17.4 through versions before 29.0.2, 28.5.0.2, and 27.3.4.13, inets 5.10.4 through before 7.0, and ftp 1.0 and later before 1.2.6, 1.2.4.1, and 1.2.3.1. No official remediation or patch information is provided, and the ftp application is deprecated and planned for removal in OTP-30.

An attacker controlling or compromising an FTP server can exploit this vulnerability to perform SSRF attacks by redirecting the client's data connection to arbitrary internal hosts or cloud metadata endpoints. This can lead to unauthorized data access or interaction with internal network services. Additionally, FTP bounce attacks against third-party hosts are possible, potentially enabling indirect attacks on other systems. The vulnerability affects default passive mode FTP client configurations in Erlang/OTP, impacting data read and write operations.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the ftp application is deprecated and scheduled for removal in OTP-30, consider migrating away from it. Until an official fix is available, avoid using the vulnerable ftp module in passive mode with untrusted FTP servers or restrict FTP usage to trusted environments. Monitor vendor communications for updates on patches or official mitigations.