Otp
Monthly
Credential leakage in Erlang/OTP's inets httpc client (versions 17.0 through 29.0.2, 28.5.0.2, and 27.3.4.13) allows attacker-controlled servers to harvest Authorization and Proxy-Authorization headers by issuing cross-origin 3xx redirects. Because httpc_response:redirect/2 only updates the host field and copies all other headers verbatim - and autoredirect defaults to true - any httpc caller using HTTP Basic auth or URL userinfo silently forwards credentials to the redirect target. No public exploit identified at time of analysis, but the fix has been published upstream and tagged in vendor-released OTP patch versions.
Authentication bypass in Erlang/OTP's TLS distribution module (inet_tls_dist) lets any attacker holding a TLS certificate signed by a CA in the node's trust store gain full Erlang distribution access, including remote code execution via rpc:call/4 and code:load_binary/3. The flaw stems from check_ip/1 inspecting the local socket address (inet:sockname/1) instead of the peer's address (inet:peername/1), so the LAN-allowlist subnet comparison always matches. No public exploit identified at time of analysis, but the one-line root cause is fully disclosed in the upstream fix commit.
Path disclosure in Erlang OTP's ssh_sftpd module exposes the absolute backend filesystem path of the SFTP chroot root to authenticated clients. By creating a symlink inside the chroot pointing to '/' and issuing SSH_FXP_READLINK, an authenticated SFTP client receives the raw absolute path (e.g., '/data/sftp') that the server uses as the chroot backend, rather than the sanitized chroot-relative value '/'. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog; the CVSS 4.0 score of 2.3 reflects the narrowly scoped, low-severity nature of the disclosure.
SSRF and FTP bounce attacks are enabled in Erlang/OTP's ftp_internal module because the PASV handler blindly trusts the IP address returned in a server's 227 response, connecting the data channel to an attacker-controlled internal target without validating it against the control connection's actual peer address. All Erlang applications using the ftp client in its default passive IPv4 mode (ipfamily=inet, ftp_extension=false) across OTP 17.4 through pre-29.0.2 are affected, spanning both the legacy inets-bundled module and the standalone ftp application. No active exploitation has been confirmed (not in CISA KEV), but a functional proof-of-concept demonstrating the redirect attack is publicly embedded in the upstream fix commit, significantly lowering the exploitation barrier.
Username enumeration via timing side-channel in Erlang/OTP SSH daemon (OTP 29.0-29.0.1) allows unauthenticated remote attackers to distinguish valid from invalid usernames in a single probe. When the daemon is configured with the `user_passwords` or `password` options, valid usernames trigger a 600,000-iteration PBKDF2-SHA256 computation (~300ms) while invalid usernames return near-instantly (~0ms) through an early-exit path - a gap detectable without repeated attempts. No public exploit has been identified at time of analysis, and exploitation is constrained to non-default, test-oriented configurations.
Denial of service in Erlang/OTP erts (inet_drv SCTP handler) lets unauthenticated remote attackers crash the BEAM VM by sending a single crafted SCTP ERROR chunk to a listening SCTP port. The flaw is a stack-based buffer overflow (CWE-121) in sctp_parse_error_chunk, with the publicly disclosed advisory from the Erlang Ecosystem Foundation (EEF) and an upstream commit confirming the fix; no public exploit identified at time of analysis, and the overflow only permits writing 16-bit values interleaved with a fixed tag, limiting impact to DoS plus minor memory disclosure.
Stack-based buffer overflow in Erlang OTP's erl_interface C library (`ei_s_print_term`) crashes processes when decoding Erlang terms containing very large integers, causing Denial of Service. Affected OTP releases span from 17.0 through unfixed branches of 27.x, 28.x, and 29.x, making this a wide-ranging availability risk for C-language nodes that interface with the Erlang runtime. Because overflow bytes are constrained exclusively to ASCII hex digits (0-9, A-F), arbitrary code execution is not feasible - confirmed impact is process crash only. No public exploit has been identified and this CVE is not listed in the CISA KEV catalog.
Credential leakage in Erlang/OTP's inets httpc client (versions 17.0 through 29.0.2, 28.5.0.2, and 27.3.4.13) allows attacker-controlled servers to harvest Authorization and Proxy-Authorization headers by issuing cross-origin 3xx redirects. Because httpc_response:redirect/2 only updates the host field and copies all other headers verbatim - and autoredirect defaults to true - any httpc caller using HTTP Basic auth or URL userinfo silently forwards credentials to the redirect target. No public exploit identified at time of analysis, but the fix has been published upstream and tagged in vendor-released OTP patch versions.
Authentication bypass in Erlang/OTP's TLS distribution module (inet_tls_dist) lets any attacker holding a TLS certificate signed by a CA in the node's trust store gain full Erlang distribution access, including remote code execution via rpc:call/4 and code:load_binary/3. The flaw stems from check_ip/1 inspecting the local socket address (inet:sockname/1) instead of the peer's address (inet:peername/1), so the LAN-allowlist subnet comparison always matches. No public exploit identified at time of analysis, but the one-line root cause is fully disclosed in the upstream fix commit.
Path disclosure in Erlang OTP's ssh_sftpd module exposes the absolute backend filesystem path of the SFTP chroot root to authenticated clients. By creating a symlink inside the chroot pointing to '/' and issuing SSH_FXP_READLINK, an authenticated SFTP client receives the raw absolute path (e.g., '/data/sftp') that the server uses as the chroot backend, rather than the sanitized chroot-relative value '/'. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog; the CVSS 4.0 score of 2.3 reflects the narrowly scoped, low-severity nature of the disclosure.
SSRF and FTP bounce attacks are enabled in Erlang/OTP's ftp_internal module because the PASV handler blindly trusts the IP address returned in a server's 227 response, connecting the data channel to an attacker-controlled internal target without validating it against the control connection's actual peer address. All Erlang applications using the ftp client in its default passive IPv4 mode (ipfamily=inet, ftp_extension=false) across OTP 17.4 through pre-29.0.2 are affected, spanning both the legacy inets-bundled module and the standalone ftp application. No active exploitation has been confirmed (not in CISA KEV), but a functional proof-of-concept demonstrating the redirect attack is publicly embedded in the upstream fix commit, significantly lowering the exploitation barrier.
Username enumeration via timing side-channel in Erlang/OTP SSH daemon (OTP 29.0-29.0.1) allows unauthenticated remote attackers to distinguish valid from invalid usernames in a single probe. When the daemon is configured with the `user_passwords` or `password` options, valid usernames trigger a 600,000-iteration PBKDF2-SHA256 computation (~300ms) while invalid usernames return near-instantly (~0ms) through an early-exit path - a gap detectable without repeated attempts. No public exploit has been identified at time of analysis, and exploitation is constrained to non-default, test-oriented configurations.
Denial of service in Erlang/OTP erts (inet_drv SCTP handler) lets unauthenticated remote attackers crash the BEAM VM by sending a single crafted SCTP ERROR chunk to a listening SCTP port. The flaw is a stack-based buffer overflow (CWE-121) in sctp_parse_error_chunk, with the publicly disclosed advisory from the Erlang Ecosystem Foundation (EEF) and an upstream commit confirming the fix; no public exploit identified at time of analysis, and the overflow only permits writing 16-bit values interleaved with a fixed tag, limiting impact to DoS plus minor memory disclosure.
Stack-based buffer overflow in Erlang OTP's erl_interface C library (`ei_s_print_term`) crashes processes when decoding Erlang terms containing very large integers, causing Denial of Service. Affected OTP releases span from 17.0 through unfixed branches of 27.x, 28.x, and 29.x, making this a wide-ranging availability risk for C-language nodes that interface with the Erlang runtime. Because overflow bytes are constrained exclusively to ASCII hex digits (0-9, A-F), arbitrary code execution is not feasible - confirmed impact is process crash only. No public exploit has been identified and this CVE is not listed in the CISA KEV catalog.