Security has been front of mind in the BEAM world this year, and there's good news on how the ecosystem is responding.
The wake-up call: CVE-2025-32433
In April 2025, CVE-2025-32433 landed, an unauthenticated, pre-auth remote code execution flaw in Erlang/OTP's SSH server, scored a maximum CVSS 10.0. A remote attacker could run code before authenticating. It was fixed in OTP-27.3.3, 26.2.5.11 and 25.3.2.20, and it was a clear reminder to keep the runtime patched.
OTP 29 responds
That focus shows up directly in OTP 29: SSH is now secure-by-default (shell and exec disabled unless you enable them), TLS defaults to a post-quantum key exchange, and the compiler warns about unsafe functions, alongside a new set of secure coding guidelines.
The EEF is now a CVE Numbering Authority
The bigger structural change: the
Erlang Ecosystem Foundation is now a CNA
(a CVE Numbering Authority). It assigns CVE IDs and publishes advisories for active
Hex.pm packages and the elixir-lang, erlang, erlef and
gleam-lang GitHub orgs, with records published at
cna.erlef.org. It's already coordinating real disclosures,recent 2026 advisories cover Tesla middleware, public_key certificate validation,
and the Mint HTTP/2 client, which means coordinated, properly-tracked vulnerability
handling for the whole ecosystem.
What to do
- Keep Elixir and OTP patched, most BEAM CVEs are fixed quickly across supported release lines.
- Watch cna.erlef.org and the EEF security advisories.
- Run
mix hex.auditfor retired packages, and considermix_audit(mix deps.audit) to scan deps against known advisories in CI.