CVE-2025-30211: KEX init error results with excessive memory usage
First published: Fri Mar 28 2025(Updated: )
Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a maliciously formed KEX init message can result with high memory usage. Implementation does not verify RFC specified limits on algorithm names (64 characters) provided in KEX init message. Big KEX init packet may lead to inefficient processing of the error data. As a result, large amount of memory will be allocated for processing malicious data. Versions OTP-27.3.1, OTP-26.2.5.10, and OTP-25.3.2.19 fix the issue. Some workarounds are available. One may set option `parallel_login` to `false` and/or reduce the `max_sessions` option.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Erlang/OTP | <27.3.1<26.2.5.10<25.3.2.19 | |
| debian/erlang | <=1:23.2.6+dfsg-1+deb11u1<=1:25.2.3+dfsg-1 | 1:27.3.1+dfsg-1 1:27.3.2+dfsg-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/erlang/otp/security/advisories/GHSA-vvr3-fjhh-cfwc
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30211
- https://nvd.nist.gov/vuln/detail/CVE-2025-30211
- https://launchpad.net/bugs/cve/CVE-2025-30211
- https://security-tracker.debian.org/tracker/CVE-2025-30211
- https://ubuntu.com/security/CVE-2025-30211
- https://github.com/erlang/otp/commit/df3aad2c5570847895562ff96a725190571f028c
- https://github.com/erlang/otp/commit/655e20a49ef80431e86ffb6c7f366d01fd4b64c3
- https://github.com/erlang/otp/commit/d64d9fb0688092356a336e38a8717499113312a0
- https://github.com/erlang/otp/commit/5ee26eb412a76ba1c6afdf4524b62939a48d1bce
Frequently Asked Questions
What is the severity of CVE-2025-30211?
CVE-2025-30211 is considered a high-severity vulnerability due to its potential impact on memory usage and denial of service.
How do I fix CVE-2025-30211?
To fix CVE-2025-30211, upgrade to Erlang/OTP version OTP-27.3.1, 26.2.5.10, or 25.3.2.19 or later.
What versions of Erlang/OTP are affected by CVE-2025-30211?
CVE-2025-30211 affects versions of Erlang/OTP prior to OTP-27.3.1, 26.2.5.10, and 25.3.2.19.
How does CVE-2025-30211 affect the performance of applications?
CVE-2025-30211 can lead to high memory usage by applications using affected versions of Erlang/OTP, potentially causing slowdowns or crashes.
Is CVE-2025-30211 a remote code execution vulnerability?
CVE-2025-30211 is not a remote code execution vulnerability but can lead to denial of service due to excessive resource consumption.
- agent/title
- agent/weakness
- agent/first-publish-date
- agent/type
- agent/author
- agent/severity
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- collector/mitre-cve
- source/MITRE
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/source
- agent/description
- agent/event
- agent/guess-ai
- agent/software-canonical-lookup
- agent/tags
- agent/softwarecombine
- collector/nvd-cve
- collector/security-tracker-debian
- source/Debian
- vendor/erlang
- canonical/erlang/otp
- package-manager/debian