CVE-2026-48858— ftp client PASV response IP not validated against control peer, enabling SSRF and FTP bounce attacks
Possible ATT&CK Techniques 2AI
T1590.001 · Domain Properties T1190 · Exploit Public-Facing ApplicationGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-48858
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
ftp client PASV response IP not validated against control peer, enabling SSRF and FTP bounce attacks
Source: NVD (National Vulnerability Database)
Vulnerability Description
Server-Side Request Forgery (SSRF) vulnerability in Erlang/OTP ftp (ftp_internal module) allows FTP bounce attacks and SSRF via an unvalidated PASV response IP address. The ftp_internal:handle_ctrl_result/2 PASV handler (mode=passive, ipfamily=inet, ftp_extension=false) extracts the IP address from the server's 227 response and passes it directly to gen_tcp:connect/4 without validating it against the control connection peer address. The adjacent EPSV handlers correctly call peername(CSock) to derive the IP from the control connection, but the PASV handler does not. A malicious or compromised FTP server can redirect the client's data connection to an arbitrary internal host and port. On read operations (ftp:ls/1,2, ftp:nlist/1,2, ftp:recv/2,3), data from the redirected target is returned to the caller. On write operations (ftp:send/2,3, ftp:append/2,3), file content is sent to the redirected target. This enables SSRF against internal hosts, cloud metadata endpoints, and FTP bounce attacks against third-party hosts. The vulnerable path is the default configuration (mode=passive, ipfamily=inet, ftp_extension=false). RFC 2577 section 3 explicitly recommends validating the PASV response IP against the control connection peer. The ftp application is deprecated and scheduled for removal in OTP-30. This vulnerability is associated with program files lib/inets/src/ftp/ftp_internal.erl (inets 5.10.4 through 6.5, OTP 17.4 through 20.3) and lib/ftp/src/ftp_internal.erl (ftp 1.0 and later, OTP 21.0 and later). This issue affects OTP from OTP 17.4 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10.4 before 7.0 and ftp from 1.0 before 1.2.6, 1.2.4.1 and 1.2.3.1.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
服务端请求伪造(SSRF)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Erlang/OTP 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Erlang/OTP是Erlang/OTP开源的一个JavaScript编写的处理处理异常的库。该库可以捕捉node.js内置API引发的异常。 Erlang/OTP inets 5.10.4至7.0之前版本和ftp 1.0至1.2.6之前版本、1.2.4.1版本和1.2.3.1版本存在代码问题漏洞,该漏洞源于ftp_internal模块PASV处理程序未验证服务器227响应中的IP地址,直接将IP地址传递给gen_tcp:connect/4,可能导致FTP反弹攻击和服务端请求伪造。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-48858
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-48858
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-48858 (2)
Vendor Advisories for CVE-2026-48858 (3)
Same Patch Batch · Erlang · 2026-06-10 · 7 CVEs total
| CVE-2026-48860 | Distribution-over-TLS LAN allowlist silently bypassed due to sockname/peername confusion i | |
| CVE-2026-48856 | httpc leaks Authorization header to cross-origin redirect targets | |
| CVE-2026-48859 | SSH server timing side-channel in ssh_auth:check_password/3 allows unauthenticated usernam | |
| CVE-2026-48855 | SFTP READLINK Leaks Absolute Backend Filesystem Path When Root Is Configured | |
| CVE-2026-49759 | Stack buffer overflow in SCTP error cause parsing in inet_drv allows remote VM crash | |
| CVE-2026-49760 | Stack Buffer Overflow in ei_s_print_term at Very Large Integer |
IV. Related Vulnerabilities
Same product: OTP
- CVE-2026-48856
httpc leaks Authorization header to cross-origin redirect ta - CVE-2026-48855
SFTP READLINK Leaks Absolute Backend Filesystem Path When Ro - CVE-2026-48860
Distribution-over-TLS LAN allowlist silently bypassed due to - CVE-2026-48859
SSH server timing side-channel in ssh_auth:check_password/3 - CVE-2026-49759
Stack buffer overflow in SCTP error cause parsing in inet_dr
Same vendor: Erlang
- CVE-2026-48856
httpc leaks Authorization header to cross-origin redirect ta - CVE-2026-48855
SFTP READLINK Leaks Absolute Backend Filesystem Path When Ro - CVE-2026-48860
Distribution-over-TLS LAN allowlist silently bypassed due to - CVE-2026-48859
SSH server timing side-channel in ssh_auth:check_password/3 - CVE-2026-49759
Stack buffer overflow in SCTP error cause parsing in inet_dr
Same weakness: CWE-918
- CVE-2026-11395
CF7 to Webhook <= 5.0.0 - Unauthenticated Server-Side Reques - CVE-2026-48764
TypeBot has SSRF in HTTP request and script fetch flows via - CVE-2026-12566
SSRF via unvalidated WWW-Authenticate realm in docker_pull m - CVE-2026-48818
Starlette: SSRF and NTLM credential theft via UNC paths in S - CVE-2026-48782
pydantic-ai: SSRF blocklist bypass via IPv4-compatible, SIIT
V. Comments for CVE-2026-48858
No comments yet