Impact of CVE-2025-32433 & CVE-2025-22868 on RabbitMQ 3.13.6 Erlang 26.2.5
search cancel

Impact of CVE-2025-32433 & CVE-2025-22868 on RabbitMQ 3.13.6 Erlang 26.2.5

book

Article ID: 406230

calendar_today

Updated On:

Products

VMware Tanzu RabbitMQ RabbitMQ Support Only for OpenSource RabbitMQ VMware vFabric RabbitMQ 2.x

Issue/Introduction

This article explains whether the critical vulnerabilities CVE-2025-32433 and CVE-2025-22868 affect RabbitMQ deployments and what actions users should take.

 

 

Environment

VMware RabbitMQ 3.13.6 - RMQ 3.13.6 Erlang 26.2.5 CVE-2025-22868 affects a Go library https://go-review.googlesource.com/c/oauth2/+/652155, 

Cause

CVE-2025-32433: Erlang/OTP SSH Remote Code Execution Vulnerability

  • CVE-2025-32433 is a critical, unauthenticated remote code execution (RCE) vulnerability affecting the SSH server component in Erlang/OTP (Open Telecom Platform). It allows attackers with network access to execute arbitrary code without authentication by sending specially crafted SSH handshake messages.

  • This vulnerability carries a maximum CVSS score of 10.0, indicating severe risk, and has been actively exploited in the wild.

Impact on RabbitMQ:

  • RabbitMQ itself is not affected by CVE-2025-32433 because RabbitMQ does not use the Erlang SSH library—neither the SSH server nor client functionality is included or required in RabbitMQ's operation.

  • The Erlang packages distributed by the RabbitMQ team explicitly exclude the SSH library, and RabbitMQ installation guides do not include SSH components.

  • Although Erlang/OTP versions before OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20 are vulnerable, RabbitMQ uses Erlang versions that exclude SSH or have been updated accordingly.

Summary: RabbitMQ does not expose the vulnerable component, so this CVE does not impact RabbitMQ installations.

 

CVE-2025-22868:

There is no publicly available or credible evidence indicating that CVE-2025-22868 impacts RabbitMQ. This CVE appears unrelated to RabbitMQ or its underlying Erlang/OTP platform components in terms of direct risk or exploitability. Further details should be monitored from official RabbitMQ or Erlang security advisories.

Recommendations:

For environments running Erlang/OTP services beyond RabbitMQ that do expose SSH services based on Erlang, immediately apply Erlang patches that address CVE-2025-32433.

Stay current with RabbitMQ releases and Erlang runtime updates to ensure security fixes and best practices are applied.

Monitor RabbitMQ official sources and Erlang/OTP security bulletins for any new advisories related to these or other CVEs.


References:

RabbitMQ official statement on CVE-2025-32433: RabbitMQ does not use Erlang’s SSH library and so is not vulnerable.

Erlang/OTP CVE-2025-32433 security advisories and technical analysis.

If you need help verifying your RabbitMQ environment or applying security updates, contact support or refer to the official RabbitMQ documentation.

Resolution

RabbitMQ itself is not affected by CVE-2025-32433 because RabbitMQ does not use the Erlang SSH library—neither the SSH server nor client functionality is included or required in RabbitMQ's operation.

There is no publicly available or credible evidence indicating that CVE-2025-22868 impacts RabbitMQ. This CVE appears unrelated to RabbitMQ or its underlying Erlang/OTP platform components in terms of direct risk or exploitability. Further details should be monitored from official RabbitMQ or Erlang security advisories.

Additional Information

CVE-2025-22868 affects a Go library https://go-review.googlesource.com/c/oauth2/+/652155

CVE-2025-32433 (an Erlang SSH library CVE). https://github.com/rabbitmq/rabbitmq-server/discussions/13796

Powered by Wolken Software