CVE-2025-46712: 
CBL Mariner vulnerability analysis and mitigation

Erlang/OTP SSH, a component of the Erlang programming language libraries, contains a vulnerability (CVE-2025-46712) discovered in May 2025. The vulnerability affects versions prior to OTP-27.3.4 (for OTP-27), OTP-26.2.5.12 (for OTP-26), and OTP-25.3.2.21 (for OTP-25), where the SSH implementation fails to enforce strict KEX handshake hardening measures by allowing optional messages to be exchanged (NVD, GitHub Advisory).

The vulnerability stems from violations of the draft-miller-sshm-strict-kex-01 specification in multiple ways: after SSH_MSG_KEX_INIT, the client may send SSH_MSG_DEBUG, SSH_MSG_IGNORE, or SSH_MSG_UNIMPLEMENTED; after SSH_MSG_ECDH_INIT, the client may send SSH_MSG_DEBUG or SSH_MSG_UNIMPLEMENTED; and SSH_MSG_KEX_DH_GEX_REQUEST does not correctly close the connection in non-DH GEX key exchanges. The vulnerability has been assigned a CVSS v3.1 base score of 3.7 (Low) with vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N (GitHub Advisory).

The vulnerability allows a Man-in-the-Middle attacker to inject messages during the connection handshake. However, as the optional messages are most likely to be ignored, there is no immediate security impact that has been identified. The issue is primarily a violation of security-relevant protocol extension specifications, which may cause issues in the future (GitHub Advisory).

The vulnerability has been patched in versions OTP-27.3.4 (for OTP-27), OTP-26.2.5.12 (for OTP-26), and OTP-25.3.2.21 (for OTP-25). Users are advised to update to these versions to mitigate the issue. The fix implements proper KEX strict implementation according to the draft-miller-sshm-strict-kex-01 document (GitHub Advisory).

The vulnerability was discovered and responsibly disclosed by researchers Fabian Bäumer, Marcel Maehren, Marcus Brinkmann, and Jörg Schwenk from the Ruhr University Bochum (GitHub Advisory).