CVE-2025-30211
Published: 28 March 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2025-30211 is a vulnerability in Erlang/OTP, a set of libraries for the Erlang programming language, affecting versions prior to OTP-27.3.1, OTP-26.2.5.10, and OTP-25.3.2.19. The issue stems from the SSH implementation's failure to verify RFC-specified limits on algorithm names, which are restricted to 64 characters in KEX init messages. A maliciously formed KEX init message with oversized algorithm names triggers inefficient error processing, leading to excessive memory allocation and potential high memory usage.
The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating it is exploitable over the network with low complexity, no privileges or user interaction required. Remote attackers can send a specially crafted KEX init packet to an affected Erlang/OTP SSH server, causing significant memory consumption and potential denial-of-service through resource exhaustion.
Patched versions OTP-27.3.1, OTP-26.2.5.10, and OTP-25.3.2.19 address the issue by enforcing the algorithm name length limits. Advisories recommend upgrading to these versions; workarounds include setting the `parallel_login` option to `false` and/or reducing the `max_sessions` option to limit exposure. Further details are available in the Erlang/OTP GitHub security advisory (GHSA-vvr3-fjhh-cfwc) and Debian LTS announcement.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability allows remote unauthenticated attackers to send crafted SSH KEX init messages with oversized algorithm names, triggering excessive memory allocation and resource exhaustion on the SSH server, directly mapping to application/system exploitation for endpoint DoS.