Is RabbitMQ affected due to CVE-2025-4748 and CVE-2023-45853 #14319
-
RabbitMQ version used4.1.0 Erlang version used27.3.3 I am using Erlang 27.3.3. Given version of Erlang uses zlib 1.2.13. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
|
Given that you're using an effected OTP version, you may be impacted by CVE-2025-4748, but you can update Erlang OTP to 27.3.4.1, which is not impacted. We would also recommend upgrading to the latest RabbitMQ patch to get the latest fixes as well. However, it is worth noting that, due to the nature of this CVE, it's only an issue if an untrusted program is using zlib via OTP. In other words, RabbitMQ or another program running on the BEAM could use zlib to access files they do not have permission to access, but assuming you trust RabbitMQ and are not running other Erlang programs, this is not really an issue. CVE-2023-45853 is in MiniZip, not the supported core of zlib, so no, RabbitMQ is not impacted by this CVE. |
Beta Was this translation helpful? Give feedback.
-
|
RabbitMQ uses The only "production code" in open source RabbitMQ that uses The best path forward is to upgrade to a more recent Erlang 27.x version ( |
Beta Was this translation helpful? Give feedback.
Given that you're using an effected OTP version, you may be impacted by CVE-2025-4748, but you can update Erlang OTP to 27.3.4.1, which is not impacted. We would also recommend upgrading to the latest RabbitMQ patch to get the latest fixes as well. However, it is worth noting that, due to the nature of this CVE, it's only an issue if an untrusted program is using zlib via OTP. In other words, RabbitMQ or another program running on the BEAM could use zlib to access files they do not have permission to access, but assuming you trust RabbitMQ and are not running other Erlang programs, this is not really an issue.
CVE-2023-45853 is in MiniZip, not the supported core of zlib, so no, RabbitMQ i…