Security

Report a vulnerability

SECURITY.md

Security Policy

Reporting a Vulnerability and/or Security Issues

Please do not report security vulnerabilities through public channels, like GitHub issues, discussions, or pull requests.

If you believe you have found a security vulnerability in this repository, please report it to [email protected] or https://github.com/erlang/otp/security.

Supported Versions

Erlang/OTP supports the last 3 OTP releases with security updates and patches. For example, if the latest release is OTP 28, we will support with maintainance and security releases:

Version	Supported
28	✅
27	✅
26	✅
=< 25	❌

Httpd in Inets Directory Traversal Vulnerability Allows Arbitrary File Read
GHSA-rmw8-5j53-j987 published Sep 12, 2025 by IngelaAndin

High
Httpd CGI Scripts Environment Variable Pollution AKA "httpoxy"
GHSA-wrj5-4mmp-gvr8 published Sep 11, 2025 by IngelaAndin

Moderate
Buffer Read Overflow on Regular Expressions with (*scs:) and (*ACCEPT)
GHSA-f9x4-wvcc-vwcf published Sep 10, 2025 by rickard-green

Moderate
SSH Unverified File Handles can Cause Excessive Use of System Resources
GHSA-pvj7-9652-7h9r published Sep 10, 2025 by u3s

Moderate
SSH Unverified Paths can Cause Excessive Use of System Resources
GHSA-rr5p-6856-j7h8 published Sep 10, 2025 by u3s

Moderate
TLS Alerts to Different Error Types in the RSA PKCS #1 1.5 Padding
GHSA-mhm2-354q-3277 published Sep 11, 2025 by IngelaAndin

Low
TLS 1.0 Missing CBC Padding Check
GHSA-ffrq-5rxw-xj5m published Sep 11, 2025 by IngelaAndin

Moderate
TLS Occasional Improper ROOT Certificate Validation
GHSA-3rgm-p3c6-g54m published Sep 11, 2025 by IngelaAndin

High
TLS Client Authentication Bypass
GHSA-f7jg-qm7f-ppm8 published Sep 11, 2025 by IngelaAndin

Critical
SSH Malicious Key Exchange Messages may Lead to Excessive Resource Consumption
GHSA-h7rg-6rjg-4cph published Sep 10, 2025 by u3s

Moderate

Learn more about advisories related to erlang/otp in the GitHub Advisory Database