CVE-2026-48858: Erlang/OTP FTP SSRF via Unvalidated PASV Response
An attacker who controls or compromises an FTP server can trick Erlang/OTP applications into connecting to arbitrary internal hosts and ports by injecting a malicious IP address into the FTP PASV response. When the client application tries to read or write files, traffic gets redirected to the attacker's chosen target—enabling probes against internal infrastructure, cloud metadata services, or attacks on third-party hosts. The flaw exists in how Erlang's FTP client parses the PASV response without checking that the redirected address actually belongs to the FTP server it connected to.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-918
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-06-17
NVD description (verbatim)
Server-Side Request Forgery (SSRF) vulnerability in Erlang/OTP ftp (ftp_internal module) allows FTP bounce attacks and SSRF via an unvalidated PASV response IP address. The ftp_internal:handle_ctrl_result/2 PASV handler (mode=passive, ipfamily=inet, ftp_extension=false) extracts the IP address from the server's 227 response and passes it directly to gen_tcp:connect/4 without validating it against the control connection peer address. The adjacent EPSV handlers correctly call peername(CSock) to derive the IP from the control connection, but the PASV handler does not. A malicious or compromised FTP server can redirect the client's data connection to an arbitrary internal host and port. On read operations (ftp:ls/1,2, ftp:nlist/1,2, ftp:recv/2,3), data from the redirected target is returned to the caller. On write operations (ftp:send/2,3, ftp:append/2,3), file content is sent to the redirected target. This enables SSRF against internal hosts, cloud metadata endpoints, and FTP bounce attacks against third-party hosts. The vulnerable path is the default configuration (mode=passive, ipfamily=inet, ftp_extension=false). RFC 2577 section 3 explicitly recommends validating the PASV response IP against the control connection peer. The ftp application is deprecated and scheduled for removal in OTP-30. This vulnerability is associated with program files lib/inets/src/ftp/ftp_internal.erl (inets 5.10.4 through 6.5, OTP 17.4 through 20.3) and lib/ftp/src/ftp_internal.erl (ftp 1.0 and later, OTP 21.0 and later). This issue affects OTP from OTP 17.4 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10.4 before 7.0 and ftp from 1.0 before 1.2.6, 1.2.4.1 and 1.2.3.1.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-48858 is a Server-Side Request Forgery (SSRF) vulnerability in Erlang/OTP's FTP implementation, specifically the ftp_internal:handle_ctrl_result/2 function handling PASV mode responses. The vulnerability occurs because the PASV handler extracts the IP address from the server's 227 response and passes it directly to gen_tcp:connect/4 without validating it against the control connection peer address. In contrast, the EPSV handlers correctly derive the IP from the control socket's peername. An attacker operating a malicious FTP server can inject an arbitrary IP address in the PASV response, causing the client to establish a data connection to that address instead of the FTP server. RFC 2577 section 3 explicitly recommends this validation; its absence creates a vulnerability in the default configuration (passive mode, inet family, ftp_extension disabled). Data read operations return content from the redirected host; write operations send client data to it, enabling both SSRF and FTP bounce attacks. The vulnerable code path appears in inets (versions 5.10.4–6.5) under OTP 17.4–20.3, and in the standalone ftp application (version 1.0 and later) under OTP 21.0 and later.
Business impact
For organizations using Erlang/OTP-based applications that consume FTP services, this vulnerability enables attackers to pivot from compromised or attacker-controlled FTP servers into internal network segments. An attacker can enumerate internal hosts, access cloud metadata endpoints (such as AWS IMDSv1), exfiltrate sensitive data from internal systems, or perform FTP bounce attacks against third-party targets—in the last case, obscuring the attacker's origin. The risk is elevated in environments where Erlang applications interact with untrusted or Internet-facing FTP servers. The deprecated status of the ftp application in OTP-30 roadmap suggests adoption may be concentrated in legacy systems, potentially delaying security awareness and patching.
Affected systems
The vulnerability affects Erlang/OTP versions 17.4 through 29.0.1 (inclusive), with specific patch lines: OTP 28.5.0.2, OTP 27.3.4.13, and OTP 29.0.2 contain fixes. The inets library is vulnerable in versions 5.10.4 through 6.5; the standalone ftp application is vulnerable in version 1.0 and all subsequent releases prior to patched versions 1.2.6, 1.2.4.1, and 1.2.3.1. Any Erlang application using the standard ftp module in passive mode (the default) with ipfamily=inet and ftp_extension=false is affected. Applications that explicitly use EPSV mode or validate PASV responses are not vulnerable.
Exploitability
Exploitation requires network-level control or compromise of an FTP server that the target application connects to. No special privileges, authentication, or user interaction are needed once the application initiates an FTP session. The default configuration is vulnerable, making exploitation straightforward for an attacker who can position themselves between the Erlang client and any FTP server it uses, or who controls a server the application legitimately connects to. Passive mode is the most common FTP configuration, further increasing practical exploitability. This is not a vulnerability in FTP protocol itself; it is a client-side validation failure specific to Erlang's implementation.
Remediation
Upgrade Erlang/OTP and ftp components to patched versions: OTP 29.0.2 or later, OTP 28.5.0.2 or later (for OTP 28.x), or OTP 27.3.4.13 or later (for OTP 27.x). For the standalone ftp application, upgrade to version 1.2.6, 1.2.4.1, or 1.2.3.1 depending on your release line. Interim mitigations include configuring applications to use EPSV mode if the server supports it, restricting FTP server connectivity to trusted internal hosts only, or wrapping FTP calls with network segmentation controls. Monitor network access logs for unusual FTP data connection attempts to non-server addresses.
Patch guidance
Consult the Erlang/OTP release notes for your version to verify the patch availability. For OTP 27.x users, OTP 27.3.4.13 contains the fix; for OTP 28.x, apply OTP 28.5.0.2 or upgrade to OTP 28.5.x. OTP 29.x users must upgrade to OTP 29.0.2 or later. If using the standalone ftp application, verify the exact version number in your environment (run ftp:module_info(attributes) or check rebar.lock / mix.exs) and cross-reference against vendor advisories for the corresponding patch version. Test patches in a non-production environment first, as Erlang upgrades may affect other OTP applications. Given the ftp application's deprecated status, consider whether your application can migrate to alternative FTP libraries or protocols (SFTP, HTTP) as a long-term strategy.
Detection guidance
Monitor FTP command logs and network flows for PASV responses followed by data connection attempts to addresses that differ from the control connection peer. In Erlang applications, enable debug logging on the ftp module (via lager or error_logger) to capture connection events. Look for warnings or errors related to unexpected IP addresses in PASV handling. Network-level detection: flag FTP control connections from Erlang application servers followed by data connections to non-FTP-server IP addresses (e.g., internal infrastructure, cloud metadata endpoints, or external third parties). Endpoint detection and response (EDR) tools may identify suspicious outbound connections initiated by Erlang processes in response to FTP operations. Review application logs for unusual data retrieval or file transfer activity that does not correspond to legitimate FTP operations.
Why prioritize this
CVSS 6.5 (Medium) reflects the network-required attack vector and lack of authentication/user interaction, balanced against moderate confidentiality and integrity impact. However, prioritization should be elevated in organizations where Erlang applications interact with FTP servers on the Internet or in untrusted network segments, or where internal infrastructure (cloud metadata, sensitive databases) is reachable from application servers. Legacy Erlang deployments may have longer patching cycles, justifying higher priority for early planning. Organizations with strict network segmentation and FTP-to-trusted-internal-servers-only policies face lower risk but should still patch to maintain defense-in-depth.
Risk score, explained
The CVSS 6.5 score is driven by network attack vector (AV:N), low attack complexity (AC:L), no privilege or user interaction requirement (PR:N/UI:N), and impact on confidentiality and integrity (C:L/I:L). The scope is unchanged (S:U), meaning the attacker cannot alter the security context beyond the vulnerable component itself. There is no availability impact (A:N). The score reflects a realistic threat: an attacker must compromise or control an FTP server the target communicates with, but exploitation is then trivial. The CVSS does not account for business context (e.g., metadata endpoint exposure, internal network architecture) or organizational risk tolerance, so security teams should adjust prioritization based on their own environment.
Frequently asked questions
Do I need to use FTP in passive mode to be vulnerable?
Yes. The vulnerability is specific to passive mode (PASV) with the default ipfamily=inet and ftp_extension=false settings. If your application explicitly uses EPSV mode or has validated the PASV response IP against the control peer address, it is not vulnerable. However, passive mode is the default in Erlang's ftp module, so most applications are affected unless explicitly configured otherwise.
Can an attacker exploit this without access to an FTP server?
No. The attacker must control or compromise an FTP server that your Erlang application connects to, or be able to intercept and modify FTP traffic between the application and a legitimate server. The vulnerability cannot be exploited through a network-based attack alone without touching an FTP server component.
What should we do if we cannot upgrade Erlang/OTP immediately?
As interim measures: restrict your application's FTP connections to trusted internal servers only (network segmentation), enable EPSV mode if your FTP servers support it, monitor network logs for unexpected outbound connections from FTP operations, and plan a phased upgrade of Erlang/OTP in your release pipeline. Document the risk in your vulnerability register and set a firm upgrade deadline.
Is the ftp application being removed from Erlang/OTP?
Yes, the ftp application is deprecated and scheduled for removal in OTP-30. If you are running older versions of Erlang/OTP, this patch may be among the last security updates for the ftp module. Organizations should evaluate migrating to SFTP, FTPS, or HTTP-based file transfer protocols as part of their long-term Erlang roadmap.
This analysis is based on the CVE description and vendor advisories as of the publication date. Specific patch versions and affected version ranges should be verified against official Erlang/OTP and ftp application release notes before deployment. No exploit code is provided or implied. Organizations should conduct their own risk assessment based on their Erlang deployment footprint, network architecture, and FTP server integration patterns. This document is for informational purposes and does not constitute official security advice from Erlang/OTP maintainers or SEC.co's clients' own security teams. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10052MEDIUMQuay SSRF in LDAP/SMTP Validation—Internal Network Reconnaissance Risk
- CVE-2026-10177MEDIUMSSRF in Aider-AI Aider 0.86.3 AWS Metadata Endpoint
- CVE-2026-10239MEDIUMJeecgBoot Server-Side Request Forgery (SSRF) in Word Editing Module
- CVE-2026-10240MEDIUMJeecgBoot SSRF Vulnerability in /airag/airagModel/test Endpoint
- CVE-2026-10241MEDIUMJimuReport SSRF in File Download Function – Patch to 3.9.2
- CVE-2026-10274MEDIUMServer-Side Request Forgery in aem-mcp-server
- CVE-2026-10276MEDIUMJenkins-server-mcp SSRF Vulnerability (0.1.0)
- CVE-2026-10517MEDIUMClair SSRF Vulnerability – Unfiltered HTTP Requests Leak Metadata