The Erlang Ecosystem Foundation CNA has officially
joined the CVE® Program as an authorized
CVE Numbering Authority (CNA). This designation allows us to assign CVE IDs and
publish CVE Records for publicly disclosed cybersecurity vulnerabilities within
our defined scope, helping to improve security and transparency in the broader
open-source community.
Coding web apps with Elixir + Phoenix offers a strong foundation, but real
security demands vigilance. Drawing on hands-on pentesting experience, this
article outlines 11 essential best practices — from maintaining a public-app
inventory and running static analysis (Sobelow) to locking down SSH/ports,
limiting exposure of your database and user uploads, averting SSRF, and avoiding
mass assignment vulnerabilities — to help developers prevent data breaches.
EPMD, essential for Erlang and RabbitMQ clustering, is often exposed online—posing hidden security risks and requiring quick mitigation steps.
This post shows how unsafe use of :erlang.binary_to_term/2 (even with :safe)
can enable remote code execution in Elixir/Phoenix apps, demonstrates a real
Paginator exploit that deserializes attacker-supplied functions, and gives
practical fixes — use non_executable_binary_to_term/2, run Sobelow scans, and
follow secure serialization guidance to prevent RCE.
This post demonstrates how SQL injection can still occur in Phoenix apps despite
Ecto’s protections, showing safe vs. unsafe patterns, a working exploit built
from unsafe string interpolation, and practical detection and mitigation using
Sobelow and parameterized queries to keep Phoenix apps secure.