RabbitMQ is not affected by CVE-2025-32433 (an Erlang/OTP CVE)
RabbitMQ is Not Affected by CVE-2025-32433
RabbitMQ is not affected by CVE-2025-32433, a vulnerability in the Erlang's SSH library. RabbitMQ does not use SSH, neither the server nor the client parts.
Team RabbitMQ's Erlang Packages Do Not Include SSH
Team RabbitMQ produces a zero dependency Erlang RPM that does not include the SSH library since it is not used. Our Debian packages are split into multiple fine-grained components, and the RabbitMQ installation guide skips SSH library installation.
Patched Versions Are Available
Team RabbitMQ's RPM repositories and Debian repositories were updated to include Erlang 27.3.3
, 26.2.5.11
and 25.3.2.20
.
For aarch64 (64-bit ARM) RPM packages, see rabbitmq/erlang-rpm
releases.
For aarch64 (64-bit ARM) Debian packages of Erlang 26.2.5.11
, see this Launchpad repository.
RabbitMQ community Docker image was also upgraded to Erlang 27.3.3
and 26.2.5.11
last week.