FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Erlang/OTP -- FTP passive-mode client does not validate server response IP

Affected packages
erlang-runtime27 < 27.3.4.13
erlang-runtime28 < 28.5.0.2
erlang-runtime29 < 29.0.2

Details

VuXML ID d87e0681-64d4-11f1-ab11-4c526214c986
Discovery 2026-06-10
Entry 2026-06-10

https://github.com/erlang/otp/security/advisories/GHSA-24cv-hwgr-37fq reports:

The FTP client in passive mode did not validate the IP address returned in the server's response, allowing a compromised or malicious server to redirect the data connection to an arbitrary host. This enables server-side request forgery (SSRF) and FTP bounce attacks.

[source]

References

CVE Name CVE-2026-48858
URL https://github.com/erlang/otp/security/advisories/GHSA-24cv-hwgr-37fq

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.