RabbitMQ is not affected by CVE-2025-32433 (an Erlang/OTP CVE)

April 24, 2025 · One min read

RabbitMQ is Not Affected by CVE-2025-32433

RabbitMQ is not affected by CVE-2025-32433, a vulnerability in the Erlang's SSH library. RabbitMQ does not use SSH, neither the server nor the client parts.

Team RabbitMQ's Erlang Packages Do Not Include SSH

Team RabbitMQ produces a zero dependency Erlang RPM that does not include the SSH library since it is not used. Our Debian packages are split into multiple fine-grained components, and the RabbitMQ installation guide skips SSH library installation.

Patched Versions Are Available

Team RabbitMQ's RPM repositories and Debian repositories were updated to include Erlang 27.3.3, 26.2.5.11 and 25.3.2.20.

For aarch64 (64-bit ARM) RPM packages, see rabbitmq/erlang-rpm releases.

For aarch64 (64-bit ARM) Debian packages of Erlang 26.2.5.11, see this Launchpad repository.

RabbitMQ community Docker image was also upgraded to Erlang 27.3.3 and 26.2.5.11 last week.