CVE-2026-48858
Received Received - Intake
SSRF in Erlang/OTP FTP PASV Response Handling

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: EEF

Description
Server-Side Request Forgery (SSRF) vulnerability in Erlang/OTP ftp (ftp_internal module) allows FTP bounce attacks and SSRF via an unvalidated PASV response IP address. The ftp_internal:handle_ctrl_result/2 PASV handler (mode=passive, ipfamily=inet, ftp_extension=false) extracts the IP address from the server's 227 response and passes it directly to gen_tcp:connect/4 without validating it against the control connection peer address. The adjacent EPSV handlers correctly call peername(CSock) to derive the IP from the control connection, but the PASV handler does not. A malicious or compromised FTP server can redirect the client's data connection to an arbitrary internal host and port. On read operations (ftp:ls/1,2, ftp:nlist/1,2, ftp:recv/2,3), data from the redirected target is returned to the caller. On write operations (ftp:send/2,3, ftp:append/2,3), file content is sent to the redirected target. This enables SSRF against internal hosts, cloud metadata endpoints, and FTP bounce attacks against third-party hosts. The vulnerable path is the default configuration (mode=passive, ipfamily=inet, ftp_extension=false). RFC 2577 section 3 explicitly recommends validating the PASV response IP against the control connection peer. The ftp application is deprecated and scheduled for removal in OTP-30. This vulnerability is associated with program files lib/inets/src/ftp/ftp_internal.erl (inets 5.10.4 through 6.5, OTP 17.4 through 20.3) and lib/ftp/src/ftp_internal.erl (ftp 1.0 and later, OTP 21.0 and later). This issue affects OTP from OTP 17.4 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10.4 before 7.0 and ftp from 1.0 before 1.2.6, 1.2.4.1 and 1.2.3.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-48858
EUVD
EUVD-2026-36055
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
erlang otp From 17.4 (inc) to 29.0.2 (exc)
erlang inets From 5.10.4 (inc) to 7.0 (exc)
erlang ftp From 1.0 (inc) to 1.2.6 (exc)
erlang ftp to 1.2.4.1 (exc)
erlang ftp to 1.2.3.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows a malicious or compromised FTP server to redirect the client's data connection to arbitrary internal hosts or third-party hosts, enabling Server-Side Request Forgery (SSRF) and FTP bounce attacks. This could potentially expose sensitive internal systems or data to unauthorized access.

Such unauthorized data exposure or transfer could lead to non-compliance with data protection regulations and standards like GDPR or HIPAA, which require strict controls on data confidentiality and integrity.

However, the provided information does not explicitly mention compliance impacts or specific regulatory considerations.

Executive Summary

CVE-2026-48858 is a Server-Side Request Forgery (SSRF) vulnerability in the Erlang/OTP FTP client, specifically in the ftp_internal module. It occurs because the PASV handler extracts the IP address from the FTP server's 227 response and uses it directly without validating it against the control connection's peer address.

This lack of validation allows a malicious or compromised FTP server to redirect the client's data connection to an arbitrary internal host and port. This can be exploited to perform SSRF attacks against internal hosts, cloud metadata endpoints, or to conduct FTP bounce attacks against third-party hosts.

The vulnerability affects both read operations (such as ftp:ls, ftp:nlist, ftp:recv) where data from the redirected target is returned to the client, and write operations (such as ftp:send, ftp:append) where file content is sent to the redirected target.

The issue exists in the default configuration using passive mode (PASV) with IPv4 and without FTP extensions. The vulnerability was fixed by changing the PASV handler to validate the IP address by deriving it from the control connection's peer address instead of trusting the server-supplied IP.

Impact Analysis

This vulnerability can impact you by allowing a malicious FTP server to redirect your FTP client's data connection to arbitrary internal or external hosts. This can lead to unauthorized access or exposure of internal network resources.

An attacker can exploit this to perform Server-Side Request Forgery (SSRF) attacks, potentially accessing sensitive internal services such as cloud metadata endpoints that are normally protected from external access.

Additionally, FTP bounce attacks can be conducted against third-party hosts, which may be used to bypass network restrictions or perform unauthorized file transfers.

The vulnerability affects FTP client operations including listing directories, receiving files, and sending or appending files, meaning both data retrieval and data transmission can be manipulated.

Detection Guidance

Detection of this vulnerability involves monitoring FTP client connections that use the PASV (passive) mode and checking if the IP address in the server's 227 PASV response is being used without validation against the control connection peer address.

One approach is to capture and analyze FTP control connection traffic to observe the 227 PASV response IP addresses and verify if they differ from the control connection peer IP. This could indicate exploitation attempts or vulnerable client behavior.

Commands to assist detection might include using network packet capture tools such as tcpdump or Wireshark to filter FTP control traffic and inspect PASV responses. For example:

  • tcpdump -i <interface> -A 'tcp port 21 and (((tcp[12] & 0xf0) >> 2) > 0)'
  • In Wireshark, filter with 'ftp.response.code == 227' to view PASV responses and compare the IP addresses with the control connection peer IP.

Additionally, reviewing FTP client logs for unexpected data connection IP addresses differing from the control connection peer IP may help detect exploitation.

Mitigation Strategies

Immediate mitigation steps include avoiding the vulnerable PASV mode configuration in the Erlang/OTP FTP client.

  • Configure the FTP client to use EPSV mode by passing the option {ftp_extension, true} to ftp:open/2, which uses a safer handler that validates the IP address.
  • Alternatively, switch the FTP client to active mode by passing {mode, active} to ftp:open/2, which bypasses the vulnerable PASV path.
  • Force the use of IPv6 by passing {ipfamily, inet6} to ftp:open/2, which also avoids the vulnerable PASV handler.

Ultimately, upgrading to a patched version of Erlang/OTP (29.0.2, 28.5.0.2, 27.3.4.13 or later) or patched ftp versions (1.2.6, 1.2.4.1, 1.2.3.1 or later) is recommended to fully resolve the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48858. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart