Skip to main content

Erlang/OTP ftp CVE-2026-48858

| EUVD-2026-36055 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-10 EEF
SSRF
6.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 10, 2026 - 16:38 vuln.today
Analysis Generated
Jun 10, 2026 - 16:38 vuln.today
CVSS changed
Jun 10, 2026 - 16:22 NVD
6.3 (MEDIUM)

DescriptionNVD

Server-Side Request Forgery (SSRF) vulnerability in Erlang/OTP ftp (ftp_internal module) allows FTP bounce attacks and SSRF via an unvalidated PASV response IP address.

The ftp_internal:handle_ctrl_result/2 PASV handler (mode=passive, ipfamily=inet, ftp_extension=false) extracts the IP address from the server's 227 response and passes it directly to gen_tcp:connect/4 without validating it against the control connection peer address. The adjacent EPSV handlers correctly call peername(CSock) to derive the IP from the control connection, but the PASV handler does not. A malicious or compromised FTP server can redirect the client's data connection to an arbitrary internal host and port. On read operations (ftp:ls/1,2, ftp:nlist/1,2, ftp:recv/2,3), data from the redirected target is returned to the caller. On write operations (ftp:send/2,3, ftp:append/2,3), file content is sent to the redirected target. This enables SSRF against internal hosts, cloud metadata endpoints, and FTP bounce attacks against third-party hosts.

The vulnerable path is the default configuration (mode=passive, ipfamily=inet, ftp_extension=false). RFC 2577 section 3 explicitly recommends validating the PASV response IP against the control connection peer.

The ftp application is deprecated and scheduled for removal in OTP-30.

This vulnerability is associated with program files lib/inets/src/ftp/ftp_internal.erl (inets 5.10.4 through 6.5, OTP 17.4 through 20.3) and lib/ftp/src/ftp_internal.erl (ftp 1.0 and later, OTP 21.0 and later).

This issue affects OTP from OTP 17.4 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10.4 before 7.0 and ftp from 1.0 before 1.2.6, 1.2.4.1 and 1.2.3.1.

AnalysisAI

SSRF and FTP bounce attacks are enabled in Erlang/OTP's ftp_internal module because the PASV handler blindly trusts the IP address returned in a server's 227 response, connecting the data channel to an attacker-controlled internal target without validating it against the control connection's actual peer address. All Erlang applications using the ftp client in its default passive IPv4 mode (ipfamily=inet, ftp_extension=false) across OTP 17.4 through pre-29.0.2 are affected, spanning both the legacy inets-bundled module and the standalone ftp application. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Operate or compromise target FTP server
Delivery
Client issues PASV command in passive IPv4 mode
Exploit
Inject crafted 227 response advertising internal target IP and port
Execution
Erlang ftp client opens data channel to redirected internal host
Impact
Exfiltrate response data from internal service or deliver file content to internal target
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The vulnerable code path is activated by the default ftp client configuration: mode=passive, ipfamily=inet, and ftp_extension=false. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.3 reflects network reachability (AV:N), no required privileges (PR:N), no user interaction (UI:N), but Attack Requirements present (AT:P) - acknowledging that a malicious or compromised FTP server must be in the connection path. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who operates or has compromised an FTP server that an Erlang application connects to using default passive mode waits for the client to issue a PASV command, then responds with a crafted 227 message containing the IP of an internal target - such as the AWS instance metadata endpoint at 169.254.169.254 or an internal REST API - rather than the FTP server's own address. The Erlang ftp client unconditionally opens its data channel to that internal address; on an ls or recv call, the response data from the internal service is returned to the Erlang caller, leaking sensitive internal information. …
Remediation Upgrade to one of the fixed OTP releases: OTP 29.0.2 (ftp 1.2.6), OTP 28.5.0.2 (ftp 1.2.4.1), or OTP 27.3.4.13 (ftp 1.2.3.1), available per the vendor advisory at https://github.com/erlang/otp/security/advisories/GHSA-24cv-hwgr-37fq; upstream fix commits are at https://github.com/erlang/otp/commit/2691a806231ffd0490a8a9e20500dec0c7e73727 and https://github.com/erlang/otp/commit/521bcfa24407ee8cb5614823cf905c37ea3aa605. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48858 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy