Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/195385?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/195385?format=api", "purl": "pkg:deb/debian/erlang@1:25.2.3%2Bdfsg-1%2Bdeb12u4", "type": "deb", "namespace": "debian", "name": "erlang", "version": "1:25.2.3+dfsg-1+deb12u4", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "1:27.3.4.12+dfsg-1", "latest_non_vulnerable_version": "1:27.3.4.12+dfsg-1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/63450?format=api", "vulnerability_id": "VCID-dazh-ypb5-akfp", "summary": "erlang/otp: Erlang/OTP kernel: DNS cache poisoning via predictable DNS transaction IDs", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-28810.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-28810.json" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455868", "reference_id": "2455868", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455868" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/195831?format=api", "purl": "pkg:deb/debian/erlang@1:27.3.4.12%2Bdfsg-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/erlang@1:27.3.4.12%252Bdfsg-1" } ], "aliases": [ "CVE-2026-28810" ], "risk_score": 2.4, "exploitability": "0.5", "weighted_severity": "4.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dazh-ypb5-akfp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66633?format=api", "vulnerability_id": "VCID-wsby-unw4-zqe7", "summary": "Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_cert and public_key modules) allows a DNS nameConstraints bypass via subject CommonName fallback in TLS hostname verification. Two flaws combine to allow a subordinate CA whose DNS nameConstraints are restricted (e.g. permitted;DNS:allowed.example.com) to issue a leaf certificate that an OTP TLS client accepts as a valid identity for an out-of-scope hostname (e.g. victim.example.com) First, pubkey_cert:validate_names/6 in lib/public_key/src/pubkey_cert.erl only checks SAN DNS entries against nameConstraints. Per RFC 5280, a permitted DNS subtree only restricts certificates that contain a DNS-typed name. A leaf with no subjectAltName therefore trivially satisfies any permitted;DNS:... constraint regardless of its subject commonName. Second, public_key:pkix_verify_hostname/3 in lib/public_key/src/public_key.erl falls back to the subject commonName when no subjectAltName is present, extracting id-at-commonName attributes as presented IDs and matching them against the reference hostname. The strict pkix_verify_hostname_match_fun(https) matcher does not suppress this fallback. The result is that path validation accepts a CN-only leaf under a DNS-constrained intermediate (no SAN means the nameConstraints are not triggered), and hostname verification then accepts it via the CN fallback. The bypass is reachable from stock ssl:connect with verify_peer, a trusted CA, SNI, and the canonical strict https hostname matcher. This issue affects OTP from OTP 19.3 before OTP 26.2.5.21, 27.3.4.12, 28.5.0.1, and 29.0.1 corresponding to public_key from 1.4 before 1.15.1.7, 1.17.1.3, 1.20.3.1, and 1.21.1.", "references": [], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/195831?format=api", "purl": "pkg:deb/debian/erlang@1:27.3.4.12%2Bdfsg-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/erlang@1:27.3.4.12%252Bdfsg-1" } ], "aliases": [ "CVE-2026-42790" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wsby-unw4-zqe7" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66623?format=api", "vulnerability_id": "VCID-dccw-cx8r-r7a1", "summary": "Erlang/OTP is a set of libraries for the Erlang programming language. In versions prior to OTP-27.3.4 (for OTP-27), OTP-26.2.5.12 (for OTP-26), and OTP-25.3.2.21 (for OTP-25), Erlang/OTP SSH fails to enforce strict KEX handshake hardening measures by allowing optional messages to be exchanged. This allows a Man-in-the-Middle attacker to inject these messages in a connection during the handshake. This issue has been patched in versions OTP-27.3.4 (for OTP-27), OTP-26.2.5.12 (for OTP-26), and OTP-25.3.2.21 (for OTP-25).", "references": [ { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104963", "reference_id": "1104963", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104963" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/195385?format=api", "purl": "pkg:deb/debian/erlang@1:25.2.3%2Bdfsg-1%2Bdeb12u4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dazh-ypb5-akfp" }, { "vulnerability": "VCID-wsby-unw4-zqe7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/erlang@1:25.2.3%252Bdfsg-1%252Bdeb12u4" } ], "aliases": [ "CVE-2025-46712" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dccw-cx8r-r7a1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66626?format=api", "vulnerability_id": "VCID-yyfx-f783-fqgk", "summary": "Uncontrolled Resource Consumption vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Flooding. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-48040.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-48040.json" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1115091", "reference_id": "1115091", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1115091" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2394521", "reference_id": "2394521", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2394521" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/195385?format=api", "purl": "pkg:deb/debian/erlang@1:25.2.3%2Bdfsg-1%2Bdeb12u4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dazh-ypb5-akfp" }, { "vulnerability": "VCID-wsby-unw4-zqe7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/erlang@1:25.2.3%252Bdfsg-1%252Bdeb12u4" } ], "aliases": [ "CVE-2025-48040" ], "risk_score": 2.4, "exploitability": "0.5", "weighted_severity": "4.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yyfx-f783-fqgk" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/erlang@1:25.2.3%252Bdfsg-1%252Bdeb12u4" }