CVE-2025-32433: Major vulnerability in OTP's SSH server

You may have seen that a critical security vulnerability has been disclosed in the OTP SSH implementation that could permit an attacker to execute arbitrary code sans any authentication under certain conditions.

If your run an Erlang SSH server, you need to act immediately.

More information in Unauthenticated Remote Code Execution in Erlang/OTP SSH · Advisory · erlang/otp · GitHub

I’ve published a writeup on this - What the Critical Erlang SSH Vulnerability Means for Elixir Developers

The summary is if you’re using Phoenix, you are most likely not affected. If you are using Nerves with SSH in production, you may be vulnerable. The Nerves team is aware of this issue and they are actively working on a solution so people can easily update.

I see only 3 OTP versions mentioned, does this mean that OTP-24 and older don’t suffer from this issue?

I believe they are vulnerable, the root cause of the bug is related to the SSH handshake in Erlang. OTP-24 and older seem to be out of support, so they don’t get security updates - Erlang | endoflife.date

Erlang/OTP supports the last 3 OTP releases with security updates and patches.

https://github.com/erlang/otp/blob/master/SECURITY.md

Perhaps a Mod can move this to Elixir News category, this is an extremely serious vulnerability, albeit only for those who:

• use the erlang/otp ssh app as a daemon
• and have exposed this functionality to the internet

There is already proof-of-concept code.

Work-around

• use firewall rules to block external connectivity to your ssh port
• don’t start the erlang ssh daemon within your elixir app startup

Fix

• re-build with a patched OTP release & re-deploy

Affected versions

• <= OTP-27.3.2
• <= OTP-26.2.5.10
• <= OTP-25.3.2.19
• any older Erlang/OTP releases <=OTP-24

Patched versions

NB only supported OTP releases are 25+

• => OTP-27.3.3
• => OTP-26.2.5.11
• => OTP-25.3.2.20

See also CVE-2025-32433: Major vulnerability in OTP's SSH server

There’s a fix out for this now. If you have an outdated system then I’d heartily recommend upgrading!

I read it and I have a live app on fly.io using Phoenix, but when I nmpa’ed my app it says port 22/tcp is open for ssh.
I guess I’m vulnerable even though I use Phoenix and Fly.io, right?

Most likely no, port 22 is used internally by Fly.io for fly ssh console, so it’s highly unlikely you are running an Erlang SSH server on that port.

For you to be vulnerable, you have to do all of these:

1. Enable :ssh as an extra application in your mix.exs file. (It is off by default)
2. Configure your Elixir app to accept Erlang SSH connections on a non-standard port
3. Manually expose that running service via the Fly.io feature external port ranges, launched in 2023 - Annoucement: External port ranges - announcement - Fly.io (my original post is technically wrong when it says this it not possible on Fly.io, however I hope this whole explanation shows why it is so unlikely)

When you nmap a Fly.io hosted app it will show port 22 is open, but that’s for Fly.io official use, your application is not running the Erlang SSH server on that port. For example, run:

nc your_domain_here 22

If it returns SSH-2.0-Erlang/VERSION then you are vulnerable. Most likely it will return nothing (I just tested it), and you are not vulnerable.

So I guess I’m really not because nc your_domain_here 22 returned nothing.

Thanks!

why would anyone implement a ssh server instead of using a proper server and setting up socks on it? that’s some serious yak shaving.

anyone have the history on this? i bet there’s an awesome blog post read somewhere.

Actually the ssh/sftp server constructs are very useful libraries. One of the use-cases we had was that we were setting up sftp servers from one of our web interfaces, dynamic server certificates, dynamic authorized hosts, dynamic authentication methods, ports etc.

Add to that some nice telemetry and logs, and you have a very amazing and configurable ssh/sftp servers for your needs.