CVE-2025-30211
Published: 28 March 2025
Summary
CVE-2025-30211 is a high-severity Memory Allocation with Excessive Size Value (CWE-789) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 35.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces validation of algorithm name lengths in SSH KEX init messages to RFC limits of 64 characters, directly preventing excessive memory allocation from malformed inputs.
Implements denial-of-service protections such as rate limiting and resource quotas for SSH connections to mitigate remote memory exhaustion attacks.
Requires timely flaw remediation through patching to versions like OTP-27.3.1 that enforce algorithm name length checks in the SSH implementation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows remote unauthenticated attackers to send crafted SSH KEX init messages with oversized algorithm names, triggering excessive memory allocation and resource exhaustion on the SSH server, directly mapping to application/system exploitation for endpoint DoS.
NVD Description
Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a maliciously formed KEX init message can result with high memory usage. Implementation does not verify RFC specified limits on algorithm names…
more
(64 characters) provided in KEX init message. Big KEX init packet may lead to inefficient processing of the error data. As a result, large amount of memory will be allocated for processing malicious data. Versions OTP-27.3.1, OTP-26.2.5.10, and OTP-25.3.2.19 fix the issue. Some workarounds are available. One may set option `parallel_login` to `false` and/or reduce the `max_sessions` option.
Deeper analysisAI
CVE-2025-30211 is a vulnerability in Erlang/OTP, a set of libraries for the Erlang programming language, affecting versions prior to OTP-27.3.1, OTP-26.2.5.10, and OTP-25.3.2.19. The issue stems from the SSH implementation's failure to verify RFC-specified limits on algorithm names, which are restricted to 64 characters in KEX init messages. A maliciously formed KEX init message with oversized algorithm names triggers inefficient error processing, leading to excessive memory allocation and potential high memory usage.
The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating it is exploitable over the network with low complexity, no privileges or user interaction required. Remote attackers can send a specially crafted KEX init packet to an affected Erlang/OTP SSH server, causing significant memory consumption and potential denial-of-service through resource exhaustion.
Patched versions OTP-27.3.1, OTP-26.2.5.10, and OTP-25.3.2.19 address the issue by enforcing the algorithm name length limits. Advisories recommend upgrading to these versions; workarounds include setting the `parallel_login` option to `false` and/or reducing the `max_sessions` option to limit exposure. Further details are available in the Erlang/OTP GitHub security advisory (GHSA-vvr3-fjhh-cfwc) and Debian LTS announcement.
Details
- CWE(s)