CVE-2026-48858

Name of the Vulnerable Software and Affected Versions Erlang/OTP versions 17.4 through 29.0.1 Erlang/OTP versions 28.0 through 28.5.0.1 Erlang/OTP versions 27.0 through 27.3.4.12

Description A Server-Side Request Forgery (SSRF) issue exists in the ftp internal module of Erlang/OTP. The handle ctrl result/2 PASV handler extracts the IP address from the server's 227 response and passes it to gen tcp:connect/4 without validating it against the control connection peer address. This allows a malicious or compromised FTP server to redirect the client's data connection to an arbitrary internal host and port. During read operations such as ls(), nlist(), and recv(), data from the redirected target is returned to the caller. During write operations such as send() and append(), file content is sent to the redirected target. This enables SSRF against internal hosts and cloud metadata endpoints, as well as FTP bounce attacks against third-party hosts. The issue occurs under the default configuration where mode is set to passive, ipfamily to inet, and ftp extension to false.

Recommendations Update Erlang/OTP to version 29.0.2, 28.5.0.2, or 27.3.4.13. As a temporary workaround, pass {ftp extension, true} to ftp:open/2 to use EPSV instead of PASV. Alternatively, pass {mode, active} to use active mode or pass {ipfamily, inet6} to force IPv6 to bypass the vulnerable PASV path.