CVE-2025-46712Expected Behavior Violation in OTP

CWE-440Expected Behavior Violation7 documents6 sources
Severity
3.7LOWNVD
EPSS
0.4%
top 38.90%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Erlang OTP
Timeline
PublishedMay 8
Latest updateJul 21

Description

Erlang/OTP is a set of libraries for the Erlang programming language. In versions prior to OTP-27.3.4 (for OTP-27), OTP-26.2.5.12 (for OTP-26), and OTP-25.3.2.21 (for OTP-25), Erlang/OTP SSH fails to enforce strict KEX handshake hardening measures by allowing optional messages to be exchanged. This allows a Man-in-the-Middle attacker to inject these messages in a connection during the handshake. This issue has been patched in versions OTP-27.3.4 (for OTP-27), OTP-26.2.5.12 (for OTP-26), and OTP-

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 2.2 | Impact: 1.4

Affected Packages1 packages

CVEListV5erlang/otp< OTP 25.3.2.21+2

🔴Vulnerability Details

3
OSV
erlang vulnerabilities2025-07-21
CVEList
Erlang/OTP SSH Has Strict KEX Violations2025-05-08
OSV
CVE-2025-46712: Erlang/OTP is a set of libraries for the Erlang programming language2025-05-08

📋Vendor Advisories

3
Ubuntu
Erlang vulnerabilities2025-07-21
Microsoft
Erlang/OTP SSH Has Strict KEX Violations2025-05-13
Debian
CVE-2025-46712: erlang - Erlang/OTP is a set of libraries for the Erlang programming language. In version...2025
CVE-2025-46712 — Expected Behavior Violation in OTP | cvebase