Man-in-the-Middle Vulnerability in Erlang/OTP SSH Implementation
CVE-2025-46712

3.7LOW

Key Information:

Vendor

Erlang

Status
Otp
Vendor
CVE Published:
8 May 2025

What is CVE-2025-46712?

Erlang/OTP SSH has a vulnerability that allows a Man-in-the-Middle attacker to exploit deficiencies in the key exchange (KEX) handshake process. In affected versions prior to OTP-27.3.4, OTP-26.2.5.12, and OTP-25.3.2.21, the library inadequately enforces handshake hardening measures, permitting optional messages to be exchanged. This flaw enables attackers to inject malicious messages during the handshake, potentially compromising the integrity of data transmitted across the connection. Mitigations have been implemented in the latest software versions, emphasizing the importance of updating to maintain secure communications.

Affected Version(s)

otp >= OTP 27.0, < OTP 27.3.4 < OTP 27.0, OTP 27.3.4

otp >= OTP 26.2.1, < OTP 26.2.5.12 < OTP 26.2.1, OTP 26.2.5.12

otp < OTP 25.3.2.21 < OTP 25.3.2.21

References

https://github.com/erlang/otp/security/advisories/GHSA-93...
x_refsource_CONFIRM
https://github.com/erlang/otp/releases/tag/OTP-25.3.2.21
x_refsource_MISC
https://github.com/erlang/otp/releases/tag/OTP-26.2.5.12
x_refsource_MISC

CVSS V3.1

Score:
3.7
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.