CVE-2025-46712

Erlang/OTP is a set of libraries for the Erlang programming language. In versions prior to OTP-27.3.4 (for OTP-27), OTP-26.2.5.12 (for OTP-26), and OTP-25.3.2.21 (for OTP-25), Erlang/OTP SSH fails to enforce strict KEX handshake hardening measures by allowing optional messages to be exchanged. This allows a Man-in-the-Middle attacker to inject these messages in a connection during the handshake. This issue has been patched in versions OTP-27.3.4 (for OTP-27), OTP-26.2.5.12 (for OTP-26), and OTP-25.3.2.21 (for OTP-25).

Database specific

{
    "cwe_ids": [
        "CWE-440"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/46xxx/CVE-2025-46712.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/erlang/otp

Affected ranges

Type

GIT

Repo

https://github.com/erlang/otp

Events

Introduced

601a012837ea0a5c8095bf24223132824177124d

Fixed

c388a2d1b3f9918652276d4798692dd4d8ef97fc

Database specific

{
    "versions": [
        {
            "introduced": "OTP27.0"
        },
        {
            "fixed": "OTP27.3.4"
        }
    ]
}

Type

GIT

Repo

https://github.com/erlang/otp

Events

Introduced

ca8b893f9d5bdd0957b78514ba523032e762c644

Fixed

7335f79eeaa0094c274dab2aa2ced9e138027c75

Database specific

{
    "versions": [
        {
            "introduced": "OTP26.2.1"
        },
        {
            "fixed": "OTP26.2.5.12"
        }
    ]
}

Type

GIT

Repo

https://github.com/erlang/otp

Events

Introduced

Fixed

52199ed7e79646b73bacc47c92967ce9970b2373

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "OTP25.3.2.21"
        }
    ]
}

Affected versions

OTP-17.*

OTP-17.0

OTP-17.0.1

OTP-17.0.2

OTP-17.1

OTP-17.1.1

OTP-17.1.2

OTP-17.2

OTP-17.2.1

OTP-17.2.2

OTP-17.3

OTP-17.3.1

OTP-17.3.2

OTP-17.3.3

OTP-17.3.4

OTP-17.4

OTP-17.4.1

OTP-17.5

OTP-17.5.1

OTP-17.5.2

OTP-17.5.3

OTP-17.5.4

OTP-17.5.5

OTP-17.5.6

OTP-17.5.6.1

OTP-17.5.6.10

OTP-17.5.6.2

OTP-17.5.6.3

OTP-17.5.6.4

OTP-17.5.6.5

OTP-17.5.6.6

OTP-17.5.6.7

OTP-17.5.6.8

OTP-17.5.6.9

OTP-18.*

OTP-18.0

OTP-18.0-rc1

OTP-18.0-rc2

OTP-18.0.1

OTP-18.0.2

OTP-18.0.3

OTP-18.1

OTP-18.1.1

OTP-18.1.2

OTP-18.1.3

OTP-18.1.4

OTP-18.1.5

OTP-18.2

OTP-18.2.1

OTP-18.2.2

OTP-18.2.3

OTP-18.2.4

OTP-18.2.4.0.1

OTP-18.2.4.1

OTP-18.3

OTP-18.3.1

OTP-18.3.2

OTP-18.3.3

OTP-18.3.4

OTP-18.3.4.1

OTP-18.3.4.1.1

OTP-18.3.4.10

OTP-18.3.4.11

OTP-18.3.4.2

OTP-18.3.4.3

OTP-18.3.4.4

OTP-18.3.4.5

OTP-18.3.4.6

OTP-18.3.4.7

OTP-18.3.4.8

OTP-18.3.4.9

OTP-19.*

OTP-19.0

OTP-19.0-rc1

OTP-19.0-rc2

OTP-19.0.1

OTP-19.0.2

OTP-19.0.3

OTP-19.0.4

OTP-19.0.5

OTP-19.0.6

OTP-19.0.7

OTP-19.1

OTP-19.1.1

OTP-19.1.2

OTP-19.1.3

OTP-19.1.4

OTP-19.1.5

OTP-19.1.6

OTP-19.1.6.1

OTP-19.2

OTP-19.2.1

OTP-19.2.2

OTP-19.2.3

OTP-19.2.3.1

OTP-19.3

OTP-19.3.1

OTP-19.3.2

OTP-19.3.3

OTP-19.3.4

OTP-19.3.5

OTP-19.3.6

OTP-19.3.6.1

OTP-19.3.6.10

OTP-19.3.6.11

OTP-19.3.6.12

OTP-19.3.6.13

OTP-19.3.6.2

OTP-19.3.6.3

OTP-19.3.6.4

OTP-19.3.6.5

OTP-19.3.6.6

OTP-19.3.6.7

OTP-19.3.6.8

OTP-19.3.6.9

OTP-20.*

OTP-20.0

OTP-20.0-rc1

OTP-20.0-rc2

OTP-20.0.1

OTP-20.0.2

OTP-20.0.3

OTP-20.0.4

OTP-20.0.5

OTP-20.1

OTP-20.1.1

OTP-20.1.2

OTP-20.1.3

OTP-20.1.4

OTP-20.1.5

OTP-20.1.6

OTP-20.1.7

OTP-20.1.7.1

OTP-20.2

OTP-20.2.0.1

OTP-20.2.1

OTP-20.2.2

OTP-20.2.3

OTP-20.2.4

OTP-20.3

OTP-20.3.1

OTP-20.3.2

OTP-20.3.2.1

OTP-20.3.3

OTP-20.3.4

OTP-20.3.5

OTP-20.3.6

OTP-20.3.7

OTP-20.3.8

OTP-20.3.8.1

OTP-20.3.8.10

OTP-20.3.8.11

OTP-20.3.8.12

OTP-20.3.8.13

OTP-20.3.8.14

OTP-20.3.8.15

OTP-20.3.8.16

OTP-20.3.8.17

OTP-20.3.8.18

OTP-20.3.8.19

OTP-20.3.8.2

OTP-20.3.8.20

OTP-20.3.8.21

OTP-20.3.8.22

OTP-20.3.8.23

OTP-20.3.8.24

OTP-20.3.8.25

OTP-20.3.8.26

OTP-20.3.8.3

OTP-20.3.8.4

OTP-20.3.8.5

OTP-20.3.8.6

OTP-20.3.8.7

OTP-20.3.8.8

OTP-20.3.8.9

OTP-21.*

OTP-21.0

OTP-21.0-rc1

OTP-21.0-rc2

OTP-21.0.1

OTP-21.0.2

OTP-21.0.3

OTP-21.0.4

OTP-21.0.5

OTP-21.0.6

OTP-21.0.7

OTP-21.0.8

OTP-21.0.9

OTP-21.1

OTP-21.1.1

OTP-21.1.2

OTP-21.1.3

OTP-21.1.4

OTP-21.2

OTP-21.2.1

OTP-21.2.2

OTP-21.2.3

OTP-21.2.4

OTP-21.2.5

OTP-21.2.6

OTP-21.2.7

OTP-21.3

OTP-21.3.1

OTP-21.3.2

OTP-21.3.3

OTP-21.3.4

OTP-21.3.5

OTP-21.3.6

OTP-21.3.7

OTP-21.3.7.1

OTP-21.3.8

OTP-21.3.8.1

OTP-21.3.8.10

OTP-21.3.8.11

OTP-21.3.8.12

OTP-21.3.8.13

OTP-21.3.8.14

OTP-21.3.8.15

OTP-21.3.8.16

OTP-21.3.8.17

OTP-21.3.8.18

OTP-21.3.8.19

OTP-21.3.8.2

OTP-21.3.8.20

OTP-21.3.8.21

OTP-21.3.8.22

OTP-21.3.8.23

OTP-21.3.8.24

OTP-21.3.8.3

OTP-21.3.8.4

OTP-21.3.8.5

OTP-21.3.8.6

OTP-21.3.8.7

OTP-21.3.8.8

OTP-21.3.8.9

OTP-22.*

OTP-22.0

OTP-22.0-rc1

OTP-22.0-rc2

OTP-22.0-rc3

OTP-22.0.1

OTP-22.0.2

OTP-22.0.3

OTP-22.0.4

OTP-22.0.5

OTP-22.0.6

OTP-22.0.7

OTP-22.1

OTP-22.1.1

OTP-22.1.2

OTP-22.1.3

OTP-22.1.4

OTP-22.1.5

OTP-22.1.6

OTP-22.1.7

OTP-22.1.8

OTP-22.1.8.1

OTP-22.2

OTP-22.2.1

OTP-22.2.2

OTP-22.2.3

OTP-22.2.4

OTP-22.2.5

OTP-22.2.6

OTP-22.2.7

OTP-22.2.8

OTP-22.3

OTP-22.3.1

OTP-22.3.2

OTP-22.3.3

OTP-22.3.4

OTP-22.3.4.1

OTP-22.3.4.10

OTP-22.3.4.11

OTP-22.3.4.12

OTP-22.3.4.12.1

OTP-22.3.4.13

OTP-22.3.4.14

OTP-22.3.4.15

OTP-22.3.4.16

OTP-22.3.4.17

OTP-22.3.4.18

OTP-22.3.4.19

OTP-22.3.4.2

OTP-22.3.4.20

OTP-22.3.4.21

OTP-22.3.4.22

OTP-22.3.4.23

OTP-22.3.4.24

OTP-22.3.4.25

OTP-22.3.4.26

OTP-22.3.4.3

OTP-22.3.4.4

OTP-22.3.4.5

OTP-22.3.4.6

OTP-22.3.4.7

OTP-22.3.4.8

OTP-22.3.4.9

OTP-23.*

OTP-23.0

OTP-23.0-rc1

OTP-23.0-rc2

OTP-23.0-rc3

OTP-23.0.1

OTP-23.0.2

OTP-23.0.3

OTP-23.0.4

OTP-23.1

OTP-23.1.1

OTP-23.1.2

OTP-23.1.3

OTP-23.1.4

OTP-23.1.4.1

OTP-23.1.5

OTP-23.2

OTP-23.2.1

OTP-23.2.2

OTP-23.2.3

OTP-23.2.4

OTP-23.2.5

OTP-23.2.6

OTP-23.2.7

OTP-23.2.7.1

OTP-23.2.7.2

OTP-23.2.7.3

OTP-23.2.7.4

OTP-23.2.7.5

OTP-23.3

OTP-23.3.1

OTP-23.3.2

OTP-23.3.3

OTP-23.3.4

OTP-23.3.4.1

OTP-23.3.4.10

OTP-23.3.4.11

OTP-23.3.4.12

OTP-23.3.4.13

OTP-23.3.4.14

OTP-23.3.4.15

OTP-23.3.4.16

OTP-23.3.4.17

OTP-23.3.4.18

OTP-23.3.4.2

OTP-23.3.4.3

OTP-23.3.4.4

OTP-23.3.4.5

OTP-23.3.4.6

OTP-23.3.4.7

OTP-23.3.4.8

OTP-23.3.4.9

OTP-24.*

OTP-24.0

OTP-24.0-rc1

OTP-24.0-rc2

OTP-24.0-rc3

OTP-24.0.1

OTP-24.0.2

OTP-24.0.3

OTP-24.0.4

OTP-24.0.5

OTP-24.0.6

OTP-24.1

OTP-24.1.1

OTP-24.1.2

OTP-24.1.3

OTP-24.1.4

OTP-24.1.5

OTP-24.1.6

OTP-24.1.7

OTP-24.2

OTP-24.2.1

OTP-24.2.2

OTP-24.3

OTP-24.3.1

OTP-24.3.2

OTP-24.3.3

OTP-24.3.4

OTP-24.3.4.1

OTP-24.3.4.15

OTP-24.3.4.16

OTP-24.3.4.2

OTP-24.3.4.3

OTP-24.3.4.4

OTP-24.3.4.5

OTP-24.3.4.6

OTP-24.3.4.7

OTP-24.3.4.8

OTP-24.3.4.9

OTP-25.*

OTP-25.0

OTP-25.0-rc1

OTP-25.0-rc2

OTP-25.0-rc3

OTP-25.0.1

OTP-25.0.2

OTP-25.0.3

OTP-25.0.4

OTP-25.1

OTP-25.1.1

OTP-25.1.2

OTP-25.1.2.1

OTP-25.2

OTP-25.2.1

OTP-25.2.2

OTP-25.2.3

OTP-25.3

OTP-25.3.1

OTP-25.3.2

OTP-25.3.2.1

OTP-25.3.2.10

OTP-25.3.2.11

OTP-25.3.2.12

OTP-25.3.2.13

OTP-25.3.2.14

OTP-25.3.2.15

OTP-25.3.2.16

OTP-25.3.2.17

OTP-25.3.2.18

OTP-25.3.2.19

OTP-25.3.2.2

OTP-25.3.2.20

OTP-25.3.2.3

OTP-25.3.2.4

OTP-25.3.2.5

OTP-25.3.2.6

OTP-25.3.2.7

OTP-25.3.2.8

OTP-25.3.2.9

OTP-26.*

OTP-26.2.1

OTP-26.2.2

OTP-26.2.3

OTP-26.2.4

OTP-26.2.5

OTP-26.2.5.1

OTP-26.2.5.10

OTP-26.2.5.11

OTP-26.2.5.2

OTP-26.2.5.3

OTP-26.2.5.4

OTP-26.2.5.5

OTP-26.2.5.6

OTP-26.2.5.7

OTP-26.2.5.8

OTP-26.2.5.9

OTP-27.*

OTP-27.0

OTP-27.0.1

OTP-27.1

OTP-27.1.1

OTP-27.1.2

OTP-27.1.3

OTP-27.2

OTP-27.2.1

OTP-27.2.2

OTP-27.2.3

OTP-27.2.4

OTP-27.3

OTP-27.3.1

OTP-27.3.2

OTP-27.3.3

OTP_17.*

OTP_17.0-rc1

OTP_17.0-rc2

Other

OTP_R13B03

OTP_R13B04

OTP_R14A

OTP_R14B

OTP_R14B01

OTP_R14B02

OTP_R14B03

OTP_R14B04

OTP_R15A

OTP_R15B

OTP_R15B01

OTP_R15B02

OTP_R15B03

OTP_R15B03-1

OTP_R16A_RELEASE_CANDIDATE

OTP_R16B

OTP_R16B01

OTP_R16B01_RC1

OTP_R16B02

OTP_R16B03

OTP_R16B03-1

OTP_R16B03_yielding_binary_to_term

R16B02_yielding_binary_to_term

patch-base-24

patch-base-25

patch-base-26