Expected Behavior Violation Affecting erlang package, versions <26.2.5.12-r0


Severity

Recommended
low

Based on default assessment until relevant scores are available.

Threat Intelligence

EPSS
0.03% (8th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-ALPINE321-ERLANG-10090178
  • published9 May 2025
  • disclosed8 May 2025

Introduced: 8 May 2025

NewCVE-2025-46712  (opens in a new tab)
CWE-440  (opens in a new tab)

How to fix?

Upgrade Alpine:3.21 erlang to version 26.2.5.12-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream erlang package and not the erlang package as distributed by Alpine. See How to fix? for Alpine:3.21 relevant fixed versions and status.

Erlang/OTP is a set of libraries for the Erlang programming language. In versions prior to OTP-27.3.4 (for OTP-27), OTP-26.2.5.12 (for OTP-26), and OTP-25.3.2.21 (for OTP-25), Erlang/OTP SSH fails to enforce strict KEX handshake hardening measures by allowing optional messages to be exchanged. This allows a Man-in-the-Middle attacker to inject these messages in a connection during the handshake. This issue has been patched in versions OTP-27.3.4 (for OTP-27), OTP-26.2.5.12 (for OTP-26), and OTP-25.3.2.21 (for OTP-25).