CVE-2025-30211
📋 TL;DR
This vulnerability in Erlang/OTP allows attackers to cause denial of service through memory exhaustion by sending specially crafted SSH KEX init messages. The implementation fails to enforce RFC limits on algorithm name lengths, leading to excessive memory allocation. Systems running vulnerable Erlang/OTP versions with SSH services enabled are affected.
💻 Affected Systems
- Erlang/OTP
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage due to memory exhaustion, potentially affecting all SSH connections and dependent services.
Likely Case
Degraded performance or temporary service disruption for SSH connections, requiring system restart.
If Mitigated
Minimal impact with proper network controls and workarounds applied.
🎯 Exploit Status
Exploitation requires network access to SSH service but no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: OTP-27.3.1, OTP-26.2.5.10, or OTP-25.3.2.19
Vendor Advisory: https://github.com/erlang/otp/security/advisories/GHSA-vvr3-fjhh-cfwc
Restart Required: Yes
Instructions:
1. Identify current Erlang/OTP version. 2. Upgrade to patched version matching your release series. 3. Restart all Erlang applications and SSH services.
🔧 Temporary Workarounds
Disable parallel login
allSet parallel_login option to false to reduce attack surface
Add {parallel_login, false} to SSH configuration
Reduce max sessions
allLimit maximum SSH sessions to reduce impact
Add {max_sessions, N} to SSH configuration where N is reduced value
🧯 If You Can't Patch
- Implement network segmentation to restrict SSH access to trusted sources only
- Deploy rate limiting or connection throttling for SSH services
🔍 How to Verify
Check if Vulnerable:
Check Erlang version with 'erl -version' and verify it's below patched versionsCheck Version:
erl -versionVerify Fix Applied:
Confirm version is OTP-27.3.1, OTP-26.2.5.10, or OTP-25.3.2.19 or higher📡 Detection & Monitoring
Log Indicators:
- Unusually large SSH packets
- Memory allocation errors
- SSH connection failures
Network Indicators:
- Large SSH KEX init packets (> typical size)
- Multiple SSH connections with abnormal packet sizes
SIEM Query:
source="ssh" AND packet_size>1000 | stats count by src_ip