CVE-2025-30211: KEX init error results with excessive memory usage

7.5 CVSS

Description

Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a maliciously formed KEX init message can result with high memory usage. Implementation does not verify RFC specified limits on algorithm names (64 characters) provided in KEX init message. Big KEX init packet may lead to inefficient processing of the error data. As a result, large amount of memory will be allocated for processing malicious data. Versions OTP-27.3.1, OTP-26.2.5.10, and OTP-25.3.2.19 fix the issue. Some workarounds are available. One may set option `parallel_login` to `false` and/or reduce the `max_sessions` option.

Classification

CVE ID: CVE-2025-30211

CVSS Base Severity: HIGH

CVSS Base Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem Types

CWE-789: Memory Allocation with Excessive Size Value

Affected Products

Vendor: erlang

Product: otp

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 16.39% (scored less or equal to compared to others)

EPSS Date: 2025-04-20 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-30211
https://github.com/erlang/otp/security/advisories/GHSA-vvr3-fjhh-cfwc

Timeline

2025-03-28 15:40:16 UTC
CVE

KEX init error results with excessive memory usage
2025-04-14 06:00:41 UTC
Tenable Plugins

Azure Linux 3.0 Security Update: erlang (CVE-2025-30211)