CVE-2025-32433

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-32433

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-32433.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-32433

Aliases

GHSA-37cp-fgq5-7wc2

Related

Published

2025-04-16T22:15:14Z

Modified

2025-04-26T00:58:21.349163Z

Downstream

DLA-4132-1

DSA-5906-1

Summary

[none]

Details

Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules.

References

Affected packages

Debian:11 / erlang

Package

Name: erlang
Purl: pkg:deb/debian/erlang?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:23.2.6+dfsg-1+deb11u2

Affected versions

1:23.*

1:23.2.6+dfsg-1

1:23.2.6+dfsg-1+deb11u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / erlang

Package

Name: erlang
Purl: pkg:deb/debian/erlang?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:25.2.3+dfsg-1+deb12u1

Affected versions

1:25.*

1:25.2.3+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / erlang

Package

Name: erlang
Purl: pkg:deb/debian/erlang?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:27.3.3+dfsg-1

Affected versions

1:25.*

1:25.2.3+dfsg-1

1:25.3.2.8+dfsg-1

1:25.3.2.10+dfsg-1

1:25.3.2.10+dfsg-2

1:25.3.2.11+dfsg-1

1:25.3.2.12+dfsg-1

1:25.3.2.12+dfsg-2

1:25.3.2.12+dfsg-3

1:26.*

1:26.0~rc2+dfsg-1

1:26.0~rc3+dfsg-1

1:26.0+dfsg-1

1:26.0.1+dfsg-1

1:26.0.2+dfsg-1

1:26.1.2+dfsg-1

1:26.2.1+dfsg-1

1:26.2.4+dfsg-1

1:27.*

1:27.0~rc3+dfsg-1

1:27.0~rc3+dfsg-2

1:27.0~rc3+dfsg-3

1:27.0~rc3+dfsg-4

1:27.0+dfsg-1

1:27.0.1+dfsg-1

1:27.0.1+dfsg-2

1:27.0.1+dfsg-3

1:27.1.2+dfsg-1

1:27.2+dfsg-1

1:27.2+dfsg-2

1:27.2+dfsg-3~exp1

1:27.2.1+dfsg-1

1:27.2.1+dfsg-2

1:27.2.2+dfsg-1

1:27.2.3+dfsg-1

1:27.2.4+dfsg-1

1:27.3+dfsg-1

1:27.3.1+dfsg-1

1:27.3.2+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/erlang/otp

Affected ranges

Type: GIT
Repo: https://github.com/erlang/otp
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

0fcd9c56524b28615e8ece65fc0c3f66ef6e4c12

Fixed

6eef04130afc8b0ccb63c9a0d8650209cf54892f

Fixed

b1924d37fd83c070055beb115d5d6a6a9490b891

Affected versions

OTP-17.*

OTP-17.0

OTP-17.0.1

OTP-17.0.2

OTP-17.1

OTP-17.1.1

OTP-17.1.2

OTP-17.2

OTP-17.2.1

OTP-17.2.2

OTP-17.3

OTP-17.3.1

OTP-17.3.2

OTP-17.3.3

OTP-17.3.4

OTP-17.4

OTP-17.4.1

OTP-17.5

OTP-17.5.1

OTP-17.5.2

OTP-17.5.3

OTP-17.5.4

OTP-17.5.5

OTP-17.5.6

OTP-17.5.6.1

OTP-17.5.6.10

OTP-17.5.6.2

OTP-17.5.6.3

OTP-17.5.6.4

OTP-17.5.6.5

OTP-17.5.6.6

OTP-17.5.6.7

OTP-17.5.6.8

OTP-17.5.6.9

OTP-18.*

OTP-18.0

OTP-18.0-rc1

OTP-18.0-rc2

OTP-18.0.1

OTP-18.0.2

OTP-18.0.3

OTP-18.1

OTP-18.1.1

OTP-18.1.2

OTP-18.1.3

OTP-18.1.4

OTP-18.1.5

OTP-18.2

OTP-18.2.1

OTP-18.2.2

OTP-18.2.3

OTP-18.2.4

OTP-18.2.4.0.1

OTP-18.2.4.1

OTP-18.3

OTP-18.3.1

OTP-18.3.2

OTP-18.3.3

OTP-18.3.4

OTP-18.3.4.1

OTP-18.3.4.1.1

OTP-18.3.4.10

OTP-18.3.4.11

OTP-18.3.4.2

OTP-18.3.4.3

OTP-18.3.4.4

OTP-18.3.4.5

OTP-18.3.4.6

OTP-18.3.4.7

OTP-18.3.4.8

OTP-18.3.4.9

OTP-19.*

OTP-19.0

OTP-19.0-rc1

OTP-19.0-rc2

OTP-19.0.1

OTP-19.0.2

OTP-19.0.3

OTP-19.0.4

OTP-19.0.5

OTP-19.0.6

OTP-19.0.7

OTP-19.1

OTP-19.1.1

OTP-19.1.2

OTP-19.1.3

OTP-19.1.4

OTP-19.1.5

OTP-19.1.6

OTP-19.1.6.1

OTP-19.2

OTP-19.2.1

OTP-19.2.2

OTP-19.2.3

OTP-19.2.3.1

OTP-19.3

OTP-19.3.1

OTP-19.3.2

OTP-19.3.3

OTP-19.3.4

OTP-19.3.5

OTP-19.3.6

OTP-19.3.6.1

OTP-19.3.6.10

OTP-19.3.6.11

OTP-19.3.6.12

OTP-19.3.6.13

OTP-19.3.6.2

OTP-19.3.6.3

OTP-19.3.6.4

OTP-19.3.6.5

OTP-19.3.6.6

OTP-19.3.6.7

OTP-19.3.6.8

OTP-19.3.6.9

OTP-20.*

OTP-20.0

OTP-20.0-rc1

OTP-20.0-rc2

OTP-20.0.1

OTP-20.0.2

OTP-20.0.3

OTP-20.0.4

OTP-20.0.5

OTP-20.1

OTP-20.1.1

OTP-20.1.2

OTP-20.1.3

OTP-20.1.4

OTP-20.1.5

OTP-20.1.6

OTP-20.1.7

OTP-20.1.7.1

OTP-20.2

OTP-20.2.0.1

OTP-20.2.1

OTP-20.2.2

OTP-20.2.3

OTP-20.2.4

OTP-20.3

OTP-20.3.1

OTP-20.3.2

OTP-20.3.2.1

OTP-20.3.3

OTP-20.3.4

OTP-20.3.5

OTP-20.3.6

OTP-20.3.7

OTP-20.3.8

OTP-20.3.8.1

OTP-20.3.8.10

OTP-20.3.8.11

OTP-20.3.8.12

OTP-20.3.8.13

OTP-20.3.8.14

OTP-20.3.8.15

OTP-20.3.8.16

OTP-20.3.8.17

OTP-20.3.8.18

OTP-20.3.8.19

OTP-20.3.8.2

OTP-20.3.8.20

OTP-20.3.8.21

OTP-20.3.8.22

OTP-20.3.8.23

OTP-20.3.8.24

OTP-20.3.8.25

OTP-20.3.8.26

OTP-20.3.8.3

OTP-20.3.8.4

OTP-20.3.8.5

OTP-20.3.8.6

OTP-20.3.8.7

OTP-20.3.8.8

OTP-20.3.8.9

OTP-21.*

OTP-21.0

OTP-21.0-rc1

OTP-21.0-rc2

OTP-21.0.1

OTP-21.0.2

OTP-21.0.3

OTP-21.0.4

OTP-21.0.5

OTP-21.0.6

OTP-21.0.7

OTP-21.0.8

OTP-21.0.9

OTP-21.1

OTP-21.1.1

OTP-21.1.2

OTP-21.1.3

OTP-21.1.4

OTP-21.2

OTP-21.2.1

OTP-21.2.2

OTP-21.2.3

OTP-21.2.4

OTP-21.2.5

OTP-21.2.6

OTP-21.2.7

OTP-21.3

OTP-21.3.1

OTP-21.3.2

OTP-21.3.3

OTP-21.3.4

OTP-21.3.5

OTP-21.3.6

OTP-21.3.7

OTP-21.3.7.1

OTP-21.3.8

OTP-21.3.8.1

OTP-21.3.8.10

OTP-21.3.8.11

OTP-21.3.8.12

OTP-21.3.8.13

OTP-21.3.8.14

OTP-21.3.8.15

OTP-21.3.8.16

OTP-21.3.8.17

OTP-21.3.8.18

OTP-21.3.8.19

OTP-21.3.8.2

OTP-21.3.8.20

OTP-21.3.8.21

OTP-21.3.8.22

OTP-21.3.8.23

OTP-21.3.8.24

OTP-21.3.8.3

OTP-21.3.8.4

OTP-21.3.8.5

OTP-21.3.8.6

OTP-21.3.8.7

OTP-21.3.8.8

OTP-21.3.8.9

OTP-22.*

OTP-22.0

OTP-22.0-rc1

OTP-22.0-rc2

OTP-22.0-rc3

OTP-22.0.1

OTP-22.0.2

OTP-22.0.3

OTP-22.0.4

OTP-22.0.5

OTP-22.0.6

OTP-22.0.7

OTP-22.1

OTP-22.1.1

OTP-22.1.2

OTP-22.1.3

OTP-22.1.4

OTP-22.1.5

OTP-22.1.6

OTP-22.1.7

OTP-22.1.8

OTP-22.1.8.1

OTP-22.2

OTP-22.2.1

OTP-22.2.2

OTP-22.2.3

OTP-22.2.4

OTP-22.2.5

OTP-22.2.6

OTP-22.2.7

OTP-22.2.8

OTP-22.3

OTP-22.3.1

OTP-22.3.2

OTP-22.3.3

OTP-22.3.4

OTP-22.3.4.1

OTP-22.3.4.10

OTP-22.3.4.11

OTP-22.3.4.12

OTP-22.3.4.12.1

OTP-22.3.4.13

OTP-22.3.4.14

OTP-22.3.4.15

OTP-22.3.4.16

OTP-22.3.4.17

OTP-22.3.4.18

OTP-22.3.4.19

OTP-22.3.4.2

OTP-22.3.4.20

OTP-22.3.4.21

OTP-22.3.4.22

OTP-22.3.4.23

OTP-22.3.4.24

OTP-22.3.4.25

OTP-22.3.4.26

OTP-22.3.4.27

OTP-22.3.4.3

OTP-22.3.4.4

OTP-22.3.4.5

OTP-22.3.4.6

OTP-22.3.4.7

OTP-22.3.4.8

OTP-22.3.4.9

OTP-23.*

OTP-23.0

OTP-23.0-rc1

OTP-23.0-rc2

OTP-23.0-rc3

OTP-23.0.1

OTP-23.0.2

OTP-23.0.3

OTP-23.0.4

OTP-23.1

OTP-23.1.1

OTP-23.1.2

OTP-23.1.3

OTP-23.1.4

OTP-23.1.4.1

OTP-23.1.5

OTP-23.2

OTP-23.2.1

OTP-23.2.2

OTP-23.2.3

OTP-23.2.4

OTP-23.2.5

OTP-23.2.6

OTP-23.2.7

OTP-23.2.7.1

OTP-23.2.7.2

OTP-23.2.7.3

OTP-23.2.7.4

OTP-23.2.7.5

OTP-23.3

OTP-23.3.1

OTP-23.3.2

OTP-23.3.3

OTP-23.3.4

OTP-23.3.4.1

OTP-23.3.4.10

OTP-23.3.4.11

OTP-23.3.4.12

OTP-23.3.4.13

OTP-23.3.4.14

OTP-23.3.4.15

OTP-23.3.4.16

OTP-23.3.4.17

OTP-23.3.4.18

OTP-23.3.4.19

OTP-23.3.4.2

OTP-23.3.4.20

OTP-23.3.4.3

OTP-23.3.4.4

OTP-23.3.4.5

OTP-23.3.4.6

OTP-23.3.4.7

OTP-23.3.4.8

OTP-23.3.4.9

OTP-24.*

OTP-24.0

OTP-24.0-rc1

OTP-24.0-rc2

OTP-24.0-rc3

OTP-24.0.1

OTP-24.0.2

OTP-24.0.3

OTP-24.0.4

OTP-24.0.5

OTP-24.0.6

OTP-24.1

OTP-24.1.1

OTP-24.1.2

OTP-24.1.3

OTP-24.1.4

OTP-24.1.5

OTP-24.1.6

OTP-24.1.7

OTP-24.2

OTP-24.2.1

OTP-24.2.2

OTP-24.3

OTP-24.3.1

OTP-24.3.2

OTP-24.3.3

OTP-24.3.4

OTP-24.3.4.1

OTP-24.3.4.10

OTP-24.3.4.11

OTP-24.3.4.12

OTP-24.3.4.13

OTP-24.3.4.14

OTP-24.3.4.15

OTP-24.3.4.16

OTP-24.3.4.17

OTP-24.3.4.2

OTP-24.3.4.3

OTP-24.3.4.4

OTP-24.3.4.5

OTP-24.3.4.6

OTP-24.3.4.7

OTP-24.3.4.8

OTP-24.3.4.9

OTP-25.*

OTP-25.0

OTP-25.0-rc1

OTP-25.0-rc2

OTP-25.0-rc3

OTP-25.0.1

OTP-25.0.2

OTP-25.0.3

OTP-25.0.4

OTP-25.1

OTP-25.1.1

OTP-25.1.2

OTP-25.1.2.1

OTP-25.2

OTP-25.2.1

OTP-25.2.2

OTP-25.2.3

OTP-25.3

OTP-25.3.1

OTP-25.3.2

OTP-25.3.2.1

OTP-25.3.2.10

OTP-25.3.2.11

OTP-25.3.2.12

OTP-25.3.2.13

OTP-25.3.2.14

OTP-25.3.2.15

OTP-25.3.2.16

OTP-25.3.2.17

OTP-25.3.2.18

OTP-25.3.2.19

OTP-25.3.2.2

OTP-25.3.2.3

OTP-25.3.2.4

OTP-25.3.2.5

OTP-25.3.2.6

OTP-25.3.2.7

OTP-25.3.2.8

OTP-25.3.2.9

OTP-26.*

OTP-26.0

OTP-26.0-rc1

OTP-26.0-rc2

OTP-26.0-rc3

OTP-26.0.1

OTP-26.0.2

OTP-26.1

OTP-26.1.1

OTP-26.1.2

OTP-26.2

OTP-26.2.1

OTP-26.2.2

OTP-26.2.3

OTP-26.2.4

OTP-26.2.5

OTP-26.2.5.1

OTP-26.2.5.10

OTP-26.2.5.2

OTP-26.2.5.3

OTP-26.2.5.4

OTP-26.2.5.5

OTP-26.2.5.6

OTP-26.2.5.7

OTP-26.2.5.8

OTP-26.2.5.9

OTP-27.*

OTP-27.0

OTP-27.0-rc1

OTP-27.0-rc2

OTP-27.0-rc3

OTP-27.0.1

OTP-27.1

OTP-27.1.1

OTP-27.1.2

OTP-27.1.3

OTP-27.2

OTP-27.2.1

OTP-27.2.2

OTP-27.2.3

OTP-27.2.4

OTP-27.3

OTP-27.3.1

OTP-27.3.2

OTP_17.*

OTP_17.0-rc1

OTP_17.0-rc2

Other

OTP_R13B03

OTP_R13B04

OTP_R14A

OTP_R14B

OTP_R14B01

OTP_R14B02

OTP_R14B03

OTP_R14B04

OTP_R15A

OTP_R15B

OTP_R15B01

OTP_R15B02

OTP_R15B03

OTP_R15B03-1

OTP_R16A_RELEASE_CANDIDATE

OTP_R16B

OTP_R16B01

OTP_R16B01_RC1

OTP_R16B02

OTP_R16B03

OTP_R16B03-1

OTP_R16B03_yielding_binary_to_term

R16B02_yielding_binary_to_term

patch-base-24

patch-base-25

patch-base-26