Phoenix 1.8.0-rc was released in March 2025 to much excitement in the Elixir community. Highlights included daisyUI, enhancements to phx.gen.auth, and scopes to ensure strong access control. Given the security improvements in the first release candidate, it seems appropriate that the final release of Phoenix 1.8 will include official security documentation.

At GetThru, we use Elixir to build peer-to-peer communication tools that help mission-driven organizations connect with people at scale. Our clients, ranging from advocacy groups to educational institutions, trust us to take security seriously, which we are committed to do.

CVE-2025-32433, an Unauthenticated Remote Code Execution in Erlang/OTP SSH recently had every organization using Elixir asking the same question: Can a bad guy hack our internet facing web applications and cause a data breach? If you are responsible for the security of Elixir projects (which use the Erlang VM), and you are currently a customer of the legacy application security firms, you were likely disappointed with their inability to detect CVE-2025-32433. Why is it that firms specialized in application security will claim Elixir support, yet fail to deliver when the chips are down? The answer can be found by examining the incentive structure between investors and security vendors.

CVE-2025-32433, an Unauthenticated Remote Code Execution in Erlang/OTP SSH was announced yesterday. From the description:

Developers use Paraxial.io to ensure their software is safe against cyberattacks. This protection is also required by many regulatory and compliance frameworks. System and Organization Controls 2 (SOC 2) was created by the American Institute of Certified Public Accountants (AICPA), and is a common requirement for SaaS businesses looking to sell into enterprise markets. Using Paraxial.io fulfills the following controls:

In the taxonomy of security vulnerabilities, remote code execution (RCE) typically ranks as the most severe. A web application that is vulnerable to RCE can be exploited by an attacker, who gets the equivalent of production SSH access to the underlying web server. With this level of access the bad guy can:

Coding a web application in Elixir with the Phoenix framework gives you an incredibly solid base. Any security problems that occur are preventable, if you know what to watch out for. The list below is based on my own professional experience pentesting Elixir applications, and building a company to help developers with security. My goal is to help you avoid a data breach due to your project being hacked, each line item was selected with that consideration in mind.

Today Paraxial.io 3.0 is live, a major upgrade to help developers with software security. Perhaps the best way to communicate how much has been accomplished is to list all the improvements shipped:

Paraxial.io has completed a security audit of Oban Pro and Oban Web. The project contains a set of Elixir libraries used by Fortune 500 companies and leading startups to process background jobs and manage complex workflows. Paraxial.io was selected for this engagement because of our expertise with Elixir. Key findings:

Every Ruby on Rails application exposed to the public internet will be attacked by hackers scanning for SQL injection, remote code execution, and similar vulnerabilities that lead to total system compromise. This guide will cover the most relevant threats and how to take advantage of free Rails security scanning by Paraxial.io.

Gem Shop is an intentionally vulnerable Ruby on Rails 8 project for security education, with examples of SQL injection, cross site scripting (XSS), broken access control, and more. The application is a simple e-commerce site where users can shop for gemstones. Most people are familiar with online shopping today, so starting with this base students can learn how security issues occur in a Rails codebase. The project is open source and hosted on the Paraxial.io GitHub.

Paraxial.io can now continuously monitor your servers’ open ports and SSH settings. If you are hosting an application in a virtual private server (VPS), for example an AWS EC2 instance, this is a useful security check to ensure your server is not exposing sensitive internal software to the public internet.

Across all the web applications in your organization, how many vulnerabilities are currently outstanding? Is this number increasing or decreasing over time? How many of those are critical severity, found in internet-facing projects? Paraxial.io helps engineers answer these questions. Today the Vulnerability Report feature of Paraxial.io is live in all accounts, providing a detailed breakdown of this data over time.

All web applications on the public internet will be targeted by automated malicious scanners. A common example is WordPress, due to how many sites use it, and the high number of exploitable bugs. If you have a Ruby or Elixir app, a malicious bot scanning for WordPress vulnerabilities does not pose a real threat, because the exploit being used will not work. There are several good reasons to still ban the offending IP:

The best advice I can give as an IT security professional on running your own server: just don’t. - How To Protect Your Linux Server From Hackers!, LiveOverflow

How would a cybersecurity breach affect your startup’s growth? It is hard to imagine a positive outcome. The goal of a startup is to grow quickly, and ensuring the security of customer data keeps the momentum going. Every company today needs to prioritize security, yet there is a common misconception that security is a cost center, while sales and marketing are profit centers. Where does this idea come from?

Paraxial.io is a security company building a product targeted at developers. Our goal is to make securing your application as painless as possible. Naturally, building a good product requires connecting with users. Rails World 2024 was held in Toronto last week, and Paraxial.io was proud to sponsor the conference.

Ruby on Rails is a project that needs no introduction. Used at companies including Airbnb, Coinbase, Shopify, and GitHub, it is difficult to estimate the enormous contribution of Rails to the modern web. Started by David Heinemeier Hansson of 37signals, Rails has influenced most web frameworks currently in use. Today support for Ruby on Rails is live in Paraxial.io. Developers can now secure their Rails app with Paraxial.io, taking advantage of features including:

Gigalixir is a popular Platform as a Service (PaaS) provider for Elixir applications, for good reason. The service was built from the ground up for Elixir developers, from individuals deploying their first application to businesses relying on the service for critical revenue generating applications. When it comes to securing an Elixir application, support from legacy security vendors is bad, and often requires mucking about with docker, installing an additional language (such as Java), and fails to secure applications hosted on a PaaS such as Gigalixir.

Paraxial.io stops data breaches by helping developers ship secure applications. The key benefit is that you don’t need to be a security expert to ensure your app is safe, Paraxial.io makes the work simple, with features including:

Paraxial.io helps developers ensure the project they are shipping is secure. Today you can use most Paraxial.io features for free (no credit card required) to ensure the security of your non-commercial work. What does this mean? Lets say you have a side project, hosted on the public internet, where people can create an account and share lists of media with their friends (books, podcasts, music, movies, etc). The security risk here seems low, but consider the following scenarios:

The OWASP Top 10 is a well known application security awareness document. When a developer working on internet-facing web applications decides to learn about security, OWASP is a frequently recommended source of information, with the Top 10 as the most famous project. The point of this article is to provide developers with enough context to understand the strengths and limitations of the Top 10 document. To properly engage with this subject, it is necessary to define a web application that is vulnerable to some security problems. This article will use the intentionally vulnerable Elixir and Phoenix project Potion Shop to explain how the Top 10 relates to real world security issues.

Phoenix LiveView has seen incredible adoption in the past few years, providing developers with the ability to ship real time web applications with minimal latency and bandwidth usage. Paraxial.io is the only security product with a strong Elixir focus, so a natural question is “Does Paraxial.io support LiveView”? The answer is yes!

Jira is the industry leading project management tool used by security, engineering, and product teams. Today the Paraxial.io Jira integration is officially available. How does it work? Consider the following Paraxial.io finding:

TL;DR? Upgrade your Paraxial agent to 2.7.3 in mix. When you start your Elixir app, Paraxial.io will record the version of xz you are running in production, to be viewed in the site’s App Audit. 5.6.0 and 5.6.1 have the backdoor, other versions are safe.

ElixirConf EU is happening on April 18th in Lisbon, Portugal. Paraxial.io is a Gold Sponsor, and will be at the conference in-person. I will be giving a talk, “The Elixir Security Roadmap”, on how organizations using Elixir can prevent data breaches, and a training on April 17th, “Elixir Application Security”.

Many security vendors claim to support Elixir, yet when setup time comes the results are often disappointing. The chart above lists several common security tools and requirements for securing Elixir code, mapping features to the relevant vendors. Below are notes about how each vendor was assessed. Author contact: michael at this domain.

Paraxial.io can now manage open source license compliance for Elixir applications. If your business regulates which licenses are allowed, or simply requires this information be recorded, Paraxial.io now automates this work. There is a serendipitous feature of this release: a dependency inventory can be obtained at compile time instead of runtime.

When a web application is deployed on the internet, it is immediately going to be attacked. Businesses and organizations that rely on these apps have to safeguard the customer information and financial transactions flowing through them every day. Data breaches are a financial and legal nightmare that can be prevented.

In March 2017 an important security patch for Apache Struts was released, due to a vulnerability with public examples showing how to break into a running server. Apache Struts is to Java what Rails is to Ruby, and Phoenix is to Elixir. Equifax, a major credit bureau, did not have an inventory of every server running Apache Struts, and in May 2017 the highest profile breach ever began with a hacked web server, ending with a $425 million settlement.

Paraxial.io continuously monitors your Elixir application, ensuring it is safe and free of security vulnerabilities. Today Paraxial.io can now send a weekly summary right to your inbox, keeping you informed on the security of your organization.

Paraxial.io monitors your application 24/7, detecting and blocking attacks. When an exploit attempt fails or a bot attack is blocked, it is a noteworthy event. Someone is attacking your work, and Paraxial.io kept it safe. Today you can now receive a Slack notification when this happens.

Modern software development means code changes are pushed into production on a daily basis. A traditional penetration testing engagement provides a snapshot of an application’s security. True security requires automation, where every new change is analyzed.

The webinar Introducing Paraxial.io 2.0 is live on the Paraxial.io YouTube channel:

Today Paraxial.io 2.0 is live, delivering major improvements to help you secure your Elixir and Phoenix applications. How many internet facing Elixir apps do you currently have? When was the last time each one received a security scan? How many critical and high vulnerabilities are outstanding? Paraxial.io makes the complex task of understanding your security posture simple.

This document is to help you prevent a data breach due to your Elixir web application being hacked. It covers strategic and technical work that is the most relevant for organizations using Elixir and Phoenix. Get your copy - https://paraxial.io/roadmap

My talk from ElixirConf 2023, Elixir Security: A Business and Technical Perspective, is up on YouTube. There are several security benefits to using Elixir, yet these are not very well known in industry. This talk can be used to introduce Elixir to a broader audience. It also covers techniques for securing your own code.

Thank you to the Thinking Elixir podcast for having me as a guest for Episode 173: Web App Security Best Practices and Sobelow. Listen and make sure to subscribe on your podcast app.

Sobelow is the best static code analysis security tool for Elixir and Phoenix. If you are using Elixir in production today, it is highly recommended that all code is scanned with Sobelow, because it can detect critical vulnerabilities that lead to data breaches. This check is a requirement in many regulated industries, including finance and healthcare. Getting started with Sobelow is easy, using it effectively requires some work. Your first Sobelow scan will likely result in a high number of findings, some of which are false positives. Classifying all these findings is a significant project, daunting enough to stop many businesses from taking full advantage of Sobelow’s power.

Web Application Security Best Practices for BEAM Languages is a new document from the Erlang Ecosystem Foundation’s (EEF) Security Working Group, published September 5, 2023. It provides guidance for writing secure web applications with Elixir and Phoenix. The document is hosted on the Security WG site, alongside the Elixir Secure Coding and Deployment Hardening Guidelines. Feedback on this new release is welcome, open an issue or submit a PR via Github.

Gigalixir is a platform as a service created for Elixir and Phoenix. Launched in 2017 by Jesse Shieh, the service is loved by Elixir developers and businesses alike. In December 2021, Michael Frew acquired Gigalixir from Jesse, becoming the new owner and operator.

The Elixir programming language is well known in the world of software where uptime is critical to business success. The official description states, “Elixir is a dynamic, functional language for building scalable and maintainable applications.” This is a humble summary of the enormous power Elixir contains, which has saved businesses millions of dollars per year across industries.

In March 2021 Nathan Long published Elixir is Safe, a post about the security benefits of using Elixir, which focused on memory and thread safety. It is an excellent article for programmers and executives about the security benefits of Elixir. In July 2023 I googled “Elixir is Safe”, and the first result was a snippet from the paper, “Vision for a Secure Elixir Ecosystem: An Empirical Study of Vulnerabilities in Elixir Programs”, which was published by the ACM in April 2022.

ElixirConf US 2023 is happening in Orlando, Florida on September 5th. Paraxial.io is excited to be a sponsor, and to provide security for the conference website. Our founder Michael Lubas is speaking and giving a training on Elixir security. Elixir is a fast growing ecosystem, and ElixirConf provides an important venue for developers, business leaders, and people learning Elixir to network and create meaningful connections. Make sure to stop by the Paraxial.io sponsor booth and say hello!

A common pattern in vulnerability response is that a library has a bad security problem, and you want to check what version is running in production. The syntax of most dependency specification files (including Elixir’s mix.exs) means the exact version running cannot be determined from the file alone. Consider a library where 2.0.3 is not vulnerable, but 2.0.4 is. The project’s mix file has "~> 2.0.0", meaning ">= 2.0.0 and < 2.1.0". The reply to “Are we vulnerable right now?” is an uncomfortable “Maybe, there’s not enough information here”.

Security is critical for businesses using Elixir in production. There are many resources available to learn more about Elixir security, however it can be difficult to decide where to start. Learn more about this important topic by watching How to Learn Elixir Security from the Curiosum Elixir meetup. YouTube: https://www.youtube.com/watch?v=3STSwMOivQA

Today Paraxial.io is excited to announce Exploit Guard, which adds runtime application self protection (RASP) to Paraxial.io Application Secure. This feature allows businesses using Elixir in production to detect and stop hacking attempts at runtime. The 2017 Equifax data breach started due to a remote code execution (RCE) vulnerability in Apache Struts, a Java framework. This incident resulted in a $425 million dollar settlement, and prompted businesses executives to begin asking questions about application security. Exploit Guard blocks RCE attacks in Elixir.

When deploying your Phoenix application, it seems like there is a never ending list of security problems to worry about. XSS, CSRF, RCE, timing attacks, the list of acronyms and jargon goes on. How should you get started securing your Phoenix app? What is worth focusing on? This training will be an introduction to the web application security concepts most relevant to Phoenix applications, common vulnerabilities, and recommended best practices. This training is fully remote, September 1, 2023.

The authentication mechanism had been subject to numerous design reviews and penetration tests. The owners were confident that no feasible means existed of attacking the mechanism to gain unauthorized access.

Sobelow is the static analysis tool for finding security issues in Elixir and Phoenix code. If you’re using Elixir in production, running Sobelow is highly recommended, because it automatically checks for common security issues. Today, detailed guidance on how to triage, verify, and fix each finding is included in Paraxial.io Application Secure. Enterprise customers can also request professional assistance when fixing reported vulnerabilities. This guide is open source, for the benefit of the Elixir community, on the Paraxial.io Github - https://github.com/paraxialio/sobelow_guide

In Elixir and Erlang, the atom is a basic type, a constant whose value is its own name. There is a hard limit on the number of atoms that can be created, the default is 1_048_576. If external user input results in atoms being created at runtime, this can cause the entire system to crash. There is an obvious question raised from all this, “If my application is vulnerable, what is the impact?”

Sobelow version 0.12.1 was released recently, adding support for HEEx templates, which are used in Phoenix LiveView. Sobelow is a static analysis tool for finding security issues in Elixir and Phoenix code. If you’re using Elixir in production, running Sobelow is highly recommended, because it automatically checks for common security issues.

Watch Fast IP Address Matching in Elixir with Radix Trees & Persistent Term by Michael Lubas - Founder of Paraxial.io, Code BEAM America 2022.

The typical description of cross site request forgery (CSRF) involves a POST request being triggered without a secure token. If there’s a state changing HTML form making a POST, with a CSRF token, that’s validated by the server, that should be secure. Consider a web application where both a GET and POST request can perform the same state changing action. This is likely not the developer’s intention, but that is the root of most security problems in software.

Potion Shop is a Phoenix application vulnerable to common web security issues, such as RCE, XSS, and CSRF. Software developers interested in learning more about Elixir security can examine the source code and functionality of Potion Shop, to better understand how these vulnerabilities occur in a Phoenix project.

Michael: Hi Holden, what are you currently working on? How is it related to Elixir?

In a Phoenix application, is the code :erlang.binary_to_term(user_input, [:safe]) secure? The answer is no, as the Erlang documentation states, “The safe option ensures the data is safely processed by the Erlang runtime but it does not guarantee the data is safe to your application. You must always validate data from untrusted sources.” Unsafe usage of binary_to_term/2 can lead to a remote code execution (RCE) vulnerability in your application. This means an attacker sends a string of input, which executes malicious code on your production server.

Our founder Michael was on the Elixir Mix podcast this week, discussing bot defense, Elixir application security, and how developers can learn more about these topics. Listen now.

Phoenix applications with user accounts share a common set of features: a login page, account creation, and password reset via an email. These systems are exposed to bot attacks, and developers should be aware of the risks that the public internet imposes on their software. This article will show a risk assessment of a Phoenix application’s login system, and how to use the Hammer library to rate limit the number of requests to each endpoint based on IP address.

Learn how to prevent SQL injection in Elixir/Phoenix applications during this live coding webinar. The founder of Paraxial.io, Michael Lubas, will walk through an example Phoenix application, showing secure and insecure Ecto code examples, and how an SQL injection attack works.

Paraxial.io is an application security platform created for Elixir. The two primary use cases are defense against malicious web bots and vulnerability management. Similar tools on the market today include reCaptcha, Snyk, and Cloudflare bot defense. Paraxial.io’s backend is written in Elixir, all our customers are using Elixir, and even this blog is a Phoenix application running Dashbit’s NimblePublisher.

Paraxial.io is an application security platform designed for Elixir and Phoenix. We provide an alternative to tools such as Snyk, reCaptcha, and Cloudflare bot defense. You may have questions about these statements, such as, “Why do businesses buy this software?”.

Dependencies in a software project are a frequent source of security concern. The ability to detect outdated packages, and update to the latest version without breaking the project, is necessary for modern teams. In Elixir, dependencies are hosted by the Hex package manager, and managed by the Mix build tool. To better understand the ecosystem, let’s examine the different components in detail.

Paraxial.io now supports vulnerability scanning and management for Elixir applications. This is done via a mix task, which can be integrated into your CI/CD pipeline, that uploads the result of each scan to the Paraxial.io backend for tracking and reporting. This fulfills the compliance requirements for a number of security standards, and gives your team actionable metrics on the security of your project.

Rocket Validator helps website owners detect accessibility and HTML issues in their pages. The founder, Jaime Iniesta, was dealing with an annoying problem: spam user registrations. Bots would register for the service, but these signups were spam, not real humans. Jaime decided to create a Paraxial.io account, and create honeypot forms for the bots to submit. What happened next?

In Elixir, the atom is a basic type, a constant whose value is its own name. Atoms are often hard-coded, meaning the atom :red appears in source code, and is not dynamically created at runtime or compile time. However, it is possible for your application to accept user input, then create a new atom based on that input, for example:

Our founder Michael Lubas was on the Thinking Elixir Podcast this week, discussing Phoenix security and useful resources to get started defending your own applications. https://podcast.thinkingelixir.com/131

“Limit the number of login attempts for one IP address to 5 in a 30 second period” is a standard rule for many web applications, and makes sense from the perspective of a site owner dealing with malicious credential stuffing. With the rise of cloud computing, it has become much easier for an attacker to access thousands of different IP addresses, for free, to bypass IP based blocking. This article will use a Phoenix application to demonstrate what the attack looks like, and how Paraxial.io stops it.

Betafi is a user research platform that makes it easy to capture and make sense of customer feedback sessions. User interviews, usability testing, and sharing business insights are all supported. Built on Elixir and Phoenix, the team at Betafi was preparing to launch on Product Hunt, and wanted to ensure the big launch day was not disrupted by bot attacks.

Cross site request forgery (CSRF) is a type of vulnerability in web applications, where an attacker is able to forge commands from a victim user. For example, consider a social media website that is vulnerable to CSRF. An attacker creates a malicious website aimed at legitimate users. When a victim visits the malicious site, it triggers a POST request in the victim’s browser, sending a message that was written by the attacker. This results in the victim’s account making a post written by the attacker.

As Elixir and Phoenix adoption continues to increase in industry, the need for security expertise has grown as well. Finding engineers with a deep understanding of the Elixir ecosystem, and software security, is a difficult task.

There are a number of resources online related to Elixir and Phoenix security, however when it comes to securing your own project, determining where to begin is a difficult task. Here are five recommendations to get started improving the security of your application.

Cross Site Scripting (XSS) refers to a class of vulnerability in web applications, where an attacker is able to inject a script into the browsing context of a victim. The root cause of this vulnerability is untrusted user input being rendered in a web browser, where JavaScript written by an attacker is executed. If a website has user authentication, and an attacker is able to exploit XSS in the site, the end result is user accounts will be compromised.

SQL injection is a type of attack against a web application, where some malicious input is parsed by the underlying database, resulting in an unauthorized operation being performed. This can be the disclosure of sensitive data, modification of the database, or deletion of entire tables.

Write a function in Elixir named build_string that takes 4 arguments:

At this year’s ElixirConf Teller hosted a challenge in Elixir, write an Elixir client for a banking application to get the secret account number and balance. This is a writeup for the remote attendee instance, if you played this in-person at ElixirConf the setup was different.

In 1996 Google co-founder Larry Page posted in comp.lang.java, Q: Setting User-Agent Field?. 26 years later, you may still need to set the User-Agent in your project. Here are four examples from the Elixir HTTP clients Finch, HTTPoison, Req, and Tesla.

It was an ordinary day at work for Peter, until he saw a spike in login attempts 1,000 times higher than average! Go inside the response to a bot attack and learn how Paraxial.io can keep your business secure.

Paraxial.io was featured in the excellent ElixirCasts, a series of video tutorials on Elixir and Phoenix. The episode walks through the installation of Paraxial.io in less than seven minutes, and the configuration of a rule to stop automated credential stuffing attacks.

Credential stuffing is a type of attack performed against web applications, where the attacker uses username/password pairs from a data breach as input to a program, which performs automated login attempts against a victim application. This is a highly effective technique for stealing user accounts, because password reuse is so common.

Paraxial.io protects your Elixir/Phoenix application from bots attempting automated logins, scraping, and disruption of service. Today we are happy to announce the beta program is open to new users!

Several cloud hosting companies publish the IP address ranges of their services. Examples include AWS, Azure, GCP, Oracle, and DigitalOcean. This information is useful to website owners, because the expected behavior of a client coming from a cloud server is different from a residential IP address. Consider a website that sells concert tickets, and wants to prevent bots from quickly purchasing all available tickets. The website owner notices that when tickets go on sale, hundreds of clients with data center IP addresses are making automated requests, purchasing tickets for resale before real visitors can.

Web applications that accept username and password pairs for authentication may experience credential stuffing by malicious clients. We use the term “credential stuffing” to refer to the act of using credentials, taken from a website’s public data breach, to preform many authentication attempts against victim accounts on a different website. This tutorial will demonstrate how to mitigate credential stuffing against a Phoenix Framework application, using PlugAttack.