Debian Erlang vulnerabilities
30 known vulnerabilities affecting debian/erlang.
Total CVEs
30
CISA KEV
1
actively exploited
Public exploits
4
Exploited in wild
2
Severity breakdown
CRITICAL3HIGH7MEDIUM10LOW10
Vulnerabilities
Page 2 of 2
CVE-2025-48038P4MEDIUMCVSS 5.3fixed in erlang 1:23.2.6+dfsg-1+deb11u3 (bullseye)2025
CVE-2025-48038 [MEDIUM] CVE-2025-48038: erlang - Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP...
Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.
debian
CVE-2025-48039P4MEDIUMCVSS 5.3fixed in erlang 1:23.2.6+dfsg-1+deb11u3 (bullseye)2025
CVE-2025-48039 [MEDIUM] CVE-2025-48039: erlang - Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP...
Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.
debian
CVE-2016-1000107P4LOWCVSS 6.1fixed in erlang 1:27.3.4.3+dfsg-1 (forky)2016
CVE-2016-1000107 [MEDIUM] CVE-2016-1000107: erlang - inets in Erlang possibly 22.1 and earlier follows RFC 3875 section 4.1.18 and th...
inets in Erlang possibly 22.1 and earlier follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request,
debian
CVE-2015-2774P4LOWCVSS 3.4fixed in erlang 1:17.3-dfsg-4 (bookworm)2015
CVE-2015-2774 [LOW] CVE-2015-2774: erlang - Erlang/OTP before 18.0-rc1 does not properly check CBC padding bytes when termin...
Erlang/OTP before 18.0-rc1 does not properly check CBC padding bytes when terminating connections, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a variant of CVE-2014-3566 (aka POODLE).
Scope: local
bookworm: resolved (fixed in 1:17.3-dfsg-4)
bullseye: resolved (fixed in 1:17.3-dfsg-4)
forky: resolved (fixed
debian
CVE-2024-53846P4LOWCVSS 5.5fixed in erlang 1:27.2+dfsg-1 (forky)2024
CVE-2024-53846 [MEDIUM] CVE-2024-53846: erlang - OTP is a set of Erlang libraries, which consists of the Erlang runtime system, a...
OTP is a set of Erlang libraries, which consists of the Erlang runtime system, a number of ready-to-use components mainly written in Erlang, and a set of design principles for Erlang programs. A regression was introduced into the ssl application of OTP starting at OTP-25.3.2.8, OTP-26.2, and OTP-27.0, resulting in a server or client verifying the peer when incorrec
debian
CVE-2020-12872P4LOWCVSS 5.5fixed in erlang 1:21.2.6+dfsg-1 (bookworm)2020
CVE-2020-12872 [MEDIUM] CVE-2020-12872: erlang - yaws_config.erl in Yaws through 2.0.2 and/or 2.0.7 loads obsolete TLS ciphers, a...
yaws_config.erl in Yaws through 2.0.2 and/or 2.0.7 loads obsolete TLS ciphers, as demonstrated by ones that allow Sweet32 attacks, if running on an Erlang/OTP virtual machine with a version less than 21.0.
Scope: local
bookworm: resolved (fixed in 1:21.2.6+dfsg-1)
bullseye: resolved (fixed in 1:21.2.6+dfsg-1)
forky: resolved (fixed in 1:21.2.6+dfsg-1)
sid: resolved
debian
CVE-2025-4748P4MEDIUMCVSS 4.8fixed in erlang 1:25.2.3+dfsg-1+deb12u2 (bookworm)2025
CVE-2025-4748 [MEDIUM] CVE-2025-4748: erlang - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') v...
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (stdlib modules) allows Absolute Path Traversal, File Manipulation. This vulnerability is associated with program files lib/stdlib/src/zip.erl and program routines zip:unzip/1, zip:unzip/2, zip:extract/1, zip:extract/2 unless the memory option is passed. This is
debian
CVE-2026-28810P4MEDIUMCVSS 6.3fixed in erlang 1:27.3.4.10+dfsg-1 (sid)2026
CVE-2026-28810 [MEDIUM] CVE-2026-28810: erlang - Generation of Predictable Numbers or Identifiers vulnerability in Erlang/OTP ker...
Generation of Predictable Numbers or Identifiers vulnerability in Erlang/OTP kernel (inet_res, inet_db modules) allows DNS Cache Poisoning. The built-in DNS resolver (inet_res) uses a sequential, process-global 16-bit transaction ID for UDP queries and does not implement source port randomization. Response validation relies almost entirely on this ID, making DNS ca
debian
CVE-2026-21620P4LOWCVSS 2.3fixed in erlang 1:27.3.4.8+dfsg-1 (forky)2026
CVE-2026-21620 [LOW] CVE-2026-21620: erlang - Relative Path Traversal, Improper Isolation or Compartmentalization vulnerabilit...
Relative Path Traversal, Improper Isolation or Compartmentalization vulnerability in erlang otp erlang/otp (tftp_file modules), erlang otp inets (tftp_file modules), erlang otp tftp (tftp_file modules) allows Relative Path Traversal. This vulnerability is associated with program files lib/tftp/src/tftp_file.erl, src/tftp_file.erl. This issue affects otp: from 17.0, fr
debian
CVE-2025-46712P4LOWCVSS 3.7fixed in erlang 1:25.2.3+dfsg-1+deb12u2 (bookworm)2025
CVE-2025-46712 [LOW] CVE-2025-46712: erlang - Erlang/OTP is a set of libraries for the Erlang programming language. In version...
Erlang/OTP is a set of libraries for the Erlang programming language. In versions prior to OTP-27.3.4 (for OTP-27), OTP-26.2.5.12 (for OTP-26), and OTP-25.3.2.21 (for OTP-25), Erlang/OTP SSH fails to enforce strict KEX handshake hardening measures by allowing optional messages to be exchanged. This allows a Man-in-the-Middle attacker to inject these messages in a conn
debian
← Previous2 / 2