Vulnerabilities
View SourceIntroduction
This section describes how Erlang/OTP reports vulnerabilities for Erlang/OTP CVEs and third party dependencies on which Erlang/OTP builds upon.
Erlang/OTP reports all vulnerabilities using the OpenVEX specification. This specification allows to easily describe which CVEs affect which Erlang/OTP versions and specific OTP applications. It also records which CVEs from third parties affect (or do not affect) Erlang/OTP.
Erlang/OTP releases OpenVEX statements under vex/otp-<version>.openvex.json
in
the Erlang/OTP Github repository in the master
branch, where
<version>
corresponds to the number of the Erlang/OTP release.
Erlang/OTP VEX Statements
Erlang/OTP OpenVEX statements specify which Erlang/OTP versions are affected/fixed (e.g.,
pkg:otp/erlang@27.3.1
), as well as the specific Erlang/OTP application number
of all affected versions (e.g., pkg:otp/ssh@5.2.9
).
As an example, a snippet of the vex/otp-27.openvex.json
contains the
vulnerability identified by CVE-2025-32433
, following by the status of the
vulnerability (affected
), the affected Erlang/OTP releases, namely 27.3.1
and 27.3.2
, and the Erlang/OTP application that was vulnerable, ssh@5.2.9
.
The affected versions are reported using the release version and the
application because it is possible to update the application independently
from the release.
In some cases, there may be an optional action statement that describes a workaround
to avoid the mentioned vulnerability.
{
"vulnerability": {
"name": "CVE-2025-32433"
},
"timestamp": "2025-06-18T12:18:16.661272703+02:00",
"products": [
{ "@id": "pkg:otp/erlang@27.3.1" },
{ "@id": "pkg:otp/erlang@27.3.2" },
{ "@id": "pkg:otp/ssh@5.2.9" }
],
"status": "affected",
"action_statement": "A temporary workaround involves disabling the SSH server or to prevent access via firewall rules.",
"action_statement_timestamp": "2025-06-18T12:18:16.661272703+02:00"
},
The fixed version will be reported in a similar fashion as follows, in the same document.
As an example, there is a new statement for CVE-2025-32433
with status fixed
,
that links to the versions that do not suffer from CVE-2025-32433
, namely
erlang@27.3.3
and otp/ssh@5.2.10
.
{
"vulnerability": {
"name": "CVE-2025-32433"
},
"timestamp": "2025-06-18T12:18:16.676540081+02:00",
"products": [
{ "@id": "pkg:otp/erlang@27.3.3" },
{ "@id": "pkg:otp/ssh@5.2.10" }
],
"status": "fixed"
},
Third Party VEX Statements
Erlang/OTP generates statements for 3rd parties from which the project depends on. It is really important to understand the scope of the third party applications, since Erlang/OTP vendors some libraries as part of the runtime.
Vendoring means that Erlang/OTP code contains a local copy of a library. There are numerous use cases for why this is necessary, and we will not cover the use cases here.
This excludes dynamically or statically linked libraries during the Erlang/OTP build process. For instance, any security related Erlang application will rely on dynamically or statically linked version of OpenSSL cryptolib.
Erlang/OTP reports vulnerabilities for any source code that is vulnerable and included in the Erlang/OTP release.
The OpenVEX statements for our third party libraries specify the affected/fixed version using the commit SHA1 from their respective repository. This is simply because our third party dependencies are in C/C++ and vulnerability scanners such as OSV report vulnerabilities in ranges.
As an example, we mention that the OpenSSL code that Erlang/OTP vendors
is not susceptible for CVE-2023-6129
, as follows:
{
"vulnerability": {
"name": "CVE-2023-6129"
},
"timestamp": "2025-06-18T12:18:16.47247833+02:00",
"products": [
{ "@id": "pkg:github/openssl/openssl@01d5e2318405362b4de5e670c90d9b40a351d053" }
],
"status": "not_affected",
"justification": "vulnerable_code_not_present"
}
Diving into the example, this means that Erlang/OTP vendors a version of openssl
taken from commit 01d5e2318405362b4de5e670c90d9b40a351d053
from the repository https://github.com/openssl/openssl/commit/01d5e2318405362b4de5e670c90d9b40a351d053
(version of OpenSSL 3.1.4). The openssl
code that Erlang/OTP vendors can be found in ./lib/erl_interface/src/openssl/
and ./erts/emulator/openssl/
. The OpenVEX statement claims that the code in those folders is not susceptible to CVE-2023-6129
. The claim is towards source code existing in Erlang/OTP.
In other words, the not_affected
status refers to the library that Erlang/OTP vendors for OpenSSL (the library that comes
included with Erlang/OTP). If you build Erlang/OTP and link to any OpenSSL version (e.g., 3.5.2 or even 3.1.4) during the building process,
your project has now a new build and runtime dependency and may be subject to CVE-2023-6129
.
Windows Binaries
For the time being, Erlang/OTP Windows binaries are not reported in the OpenVEX specification.