CVE-2025-32433

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-32433
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-32433.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-32433
Aliases
  • GHSA-37cp-fgq5-7wc2
Downstream
Related
Published
2025-04-16T21:34:37Z
Modified
2025-10-14T14:35:19Z
Severity
  • 10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
Erlang/OTP SSH Vulnerable to Pre-Authentication RCE
Details

Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules.

References

Affected packages

Git /

Affected ranges

Database specific 

{
    "unresolved_versions": [
        {
            "events": [
                {
                    "introduced": "OTP-27.0-rc1"
                },
                {
                    "fixed": "OTP-27.3.3"
                }
            ],
            "type": ""
        },
        {
            "events": [
                {
                    "introduced": "OTP-26.0-rc1"
                },
                {
                    "fixed": "OTP-26.2.5.11"
                }
            ],
            "type": ""
        },
        {
            "events": [
                {
                    "introduced": "0"
                },
                {
                    "fixed": "OTP-25.3.2.20"
                }
            ],
            "type": ""
        }
    ]
}