GHSA-56wx-66px-9j66
Suggest an improvement- Source
- https://github.com/advisories/GHSA-56wx-66px-9j66
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-56wx-66px-9j66/GHSA-56wx-66px-9j66.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-56wx-66px-9j66
- Aliases
- Published
- 2025-05-13T21:34:58Z
- Modified
- 2025-05-15T20:41:49.515714Z
- Severity
-
- 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L CVSS Calculator
- Summary
- OPKSSH Vulnerable to Authentication Bypass
- Details
-
Impact
Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification. As OPKSSH depends on the OpenPubkey library for authentication, this vulnerability in OpenPubkey also applies to OPKSSH versions prior to 0.5.0 and would allow an attacker to bypass OPKSSH authentication.
Patches
The vulnerability does not exist in more recent versions of OPKSSH. his only impacts OPKSSH when used to verify ssh keys on a server, the OPKSSH client is unaffected. To remediate upgrade to a version of OPKSSH v0.5.0 or greater.
To determine if you are vulnerable run on your server:
opkssh --versionIf the version is less than 0.5.0 you should upgrade. To upgrade to the latest version run:
wget -qO- "https://raw.githubusercontent.com/openpubkey/opkssh/main/scripts/install-linux.sh" | sudo bashReferences
The upstream vulnerability in OpenPubkey is CVE-2025-3757 and has the security advisory https://github.com/openpubkey/openpubkey/security/advisories/GHSA-537f-gxgm-3jjq
- Database specific
{ "nvd_published_at": "2025-05-13T17:16:04Z", "cwe_ids": [ "CWE-305" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2025-05-13T21:34:58Z" }- References
Affected packages
Go / github.com/openpubkey/opkssh
Package
- Name
- github.com/openpubkey/opkssh
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/openpubkey/opkssh