CVE-2026-48858
published 2026-06-10CVE-2026-48858: Server-Side Request Forgery (SSRF) vulnerability in Erlang/OTP ftp (ftp_internal module) allows FTP bounce attacks and SSRF via an unvalidated PASV response IP…
PriorityP341medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
EPSS
0.23%
14.2th percentile
Server-Side Request Forgery (SSRF) vulnerability in Erlang/OTP ftp (ftp_internal module) allows FTP bounce attacks and SSRF via an unvalidated PASV response IP address.
The ftp_internal:handle_ctrl_result/2 PASV handler (mode=passive, ipfamily=inet, ftp_extension=false) extracts the IP address from the server's 227 response and passes it directly to gen_tcp:connect/4 without validating it against the control connection peer address. The adjacent EPSV handlers correctly call peername(CSock) to derive the IP from the control connection, but the PASV handler does not. A malicious or compromised FTP server can redirect the client's data connection to an arbitrary internal host and port. On read operations (ftp:ls/1,2, ftp:nlist/1,2, ftp:recv/2,3), data from the redirected target is returned to the caller. On write operations (ftp:send/2,3, ftp:append/2,3), file content is sent to the redirected target. This enables SSRF against internal hosts, cloud metadata endpoints, and FTP bounce attacks against third-party hosts.
The vulnerable path is the default configuration (mode=passive, ipfamily=inet, ftp_extension=false). RFC 2577 section 3 explicitly recommends validating the PASV response IP against the control connection peer.
The ftp application is deprecated and scheduled for removal in OTP-30.
This vulnerability is associated with program files lib/inets/src/ftp/ftp_internal.erl (inets 5.10.4 through 6.5, OTP 17.4 through 20.3) and lib/ftp/src/ftp_internal.erl (ftp 1.0 and later, OTP 21.0 and later).
This issue affects OTP from OTP 17.4 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10.4 before 7.0 and ftp from 1.0 before 1.2.6, 1.2.4.1 and 1.2.3.1.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | erlang | — | — |
| erlang | erlang_inets | >= 5.10.4 < 7.0 | 7.0 |
| erlang | erlang_otp | >= 17.4 < 27.3.4.13 | 27.3.4.13 |
| erlang | erlang_otp | >= 28.0 < 28.5.0.2 | 28.5.0.2 |
| erlang | erlang_otp | >= 29.0 < 29.0.2 | 29.0.2 |
| erlang | ftp | >= 1.0 < 1.2.3.1 | 1.2.3.1 |
| erlang | ftp | >= 1.2.4 < 1.2.4.1 | 1.2.4.1 |
| erlang | ftp | >= 1.2.5 < 1.2.6 | 1.2.6 |
| erlang | otp | >= 1.0 < * | * |
| erlang | otp | >= 17.4 < * | * |
| erlang | otp | >= 5.10.4 < 7.0 | 7.0 |
| erlang | otp | >= be95772ee1fcfe71045ef070130bea7a910b81e3 < * | * |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
nvdv4.06.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Erlang OTP up to 6.x PASV ftp_internal.erl server-side request forgery (GHSA-24cv-hwgr-37fq)
vuldb·2026-06-10·CVSS 6.5
CVE-2026-48858 [MEDIUM] Erlang OTP up to 6.x PASV ftp_internal.erl server-side request forgery (GHSA-24cv-hwgr-37fq)
A vulnerability categorized as critical has been discovered in Erlang OTP up to 6.x. Impacted is an unknown function in the library lib/inets/src/ftp/ftp_internal.erl of the component PASV Handler. Executing a manipulation can lead to server-side request forgery.
This vulnerability is registered as CVE-2026-48858. It is possible to launch the attack remotely. No exploit is available.
It is advisable to upgrade the affected component.
Red Hat
erlang: erlang-inets: erlang-ftp: Erlang/OTP ftp: Server-Side Request Forgery (SSRF) via unvalidated PASV response IP address
vendor_redhat·2026-06-10·CVSS 6.5
CVE-2026-48858 [MEDIUM] CWE-918 erlang: erlang-inets: erlang-ftp: Erlang/OTP ftp: Server-Side Request Forgery (SSRF) via unvalidated PASV response IP address
erlang: erlang-inets: erlang-ftp: Erlang/OTP ftp: Server-Side Request Forgery (SSRF) via unvalidated PASV response IP address
A flaw was found in Erlang/OTP's FTP (File Transfer Protocol) client, specifically within the ftp_internal module. A remote attacker, by operating a malicious or compromised FTP server, could exploit an unvalidated IP address in the server's passive mode (PASV) response. This vulnerability, known as Server-Side Request Forgery (SSRF), allows the attacker to redirect the client's data connection to an arbitrary internal host and port. This can lead to information disclosure from internal systems or the sending of sensitive data to unintended third-party hosts, enabling FTP bounce attacks.
Mitigation: To mitigate this vulnerability, restrict network access for syste
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-48858 erlang: Erlang/OTP ftp: Server-Side Request Forgery (SSRF) via unvalidated PASV response IP address [epel-all]
bugzilla·2026-06-16·CVSS 6.5
CVE-2026-48858 [MEDIUM] CVE-2026-48858 erlang: Erlang/OTP ftp: Server-Side Request Forgery (SSRF) via unvalidated PASV response IP address [epel-all]
CVE-2026-48858 erlang: Erlang/OTP ftp: Server-Side Request Forgery (SSRF) via unvalidated PASV response IP address [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-48858 erlang: Erlang/OTP ftp: Server-Side Request Forgery (SSRF) via unvalidated PASV response IP address [fedora-all]
bugzilla·2026-06-16·CVSS 6.5
CVE-2026-48858 [MEDIUM] CVE-2026-48858 erlang: Erlang/OTP ftp: Server-Side Request Forgery (SSRF) via unvalidated PASV response IP address [fedora-all]
CVE-2026-48858 erlang: Erlang/OTP ftp: Server-Side Request Forgery (SSRF) via unvalidated PASV response IP address [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-48858 erlang: erlang-inets: erlang-ftp: Erlang/OTP ftp: Server-Side Request Forgery (SSRF) via unvalidated PASV response IP address
bugzilla·2026-06-10·CVSS 6.5
CVE-2026-48858 [MEDIUM] CVE-2026-48858 erlang: erlang-inets: erlang-ftp: Erlang/OTP ftp: Server-Side Request Forgery (SSRF) via unvalidated PASV response IP address
CVE-2026-48858 erlang: erlang-inets: erlang-ftp: Erlang/OTP ftp: Server-Side Request Forgery (SSRF) via unvalidated PASV response IP address
Server-Side Request Forgery (SSRF) vulnerability in Erlang/OTP ftp (ftp_internal module) allows FTP bounce attacks and SSRF via an unvalidated PASV response IP address.
The ftp_internal:handle_ctrl_result/2 PASV handler (mode=passive, ipfamily=inet, ftp_extension=false) extracts the IP address from the server's 227 response and passes it directly to gen_tcp:connect/4 without validating it against the control connection peer address. The adjacent EPSV handlers correctly call peername(CSock) to derive the IP from the control connection, but the PASV handler does not. A malicious or compromised FTP server can redirect the client's data connection to an
https://cna.erlef.org/cves/CVE-2026-48858.htmlhttps://github.com/erlang/otp/commit/2691a806231ffd0490a8a9e20500dec0c7e73727https://github.com/erlang/otp/commit/521bcfa24407ee8cb5614823cf905c37ea3aa605https://github.com/erlang/otp/security/advisories/GHSA-24cv-hwgr-37fqhttps://osv.dev/vulnerability/EEF-CVE-2026-48858https://www.erlang.org/doc/system/versions.html#order-of-versions
2026-06-10
Published