CVE-2025-54804 – russh

Package

Manager: cargo
Name: russh
Vulnerable Version: >=0 <0.54.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00054 pctl0.1671

Details

russh is missing overflow checks during channel windows adjust ### Summary The channel window adjust message of the SSH protocol is used to track the free space in the receive buffer of the other side of a channel. The current implementation takes the value from the message and adds it to an internal state value. This can result in a integer overflow. If the Rust code is compiled with overflow checks, it will panic. A malicious client can crash a server. ### Details According https://datatracker.ietf.org/doc/html/rfc4254#section-5.2, The value must not overflow. The incorrect handling is done in server/encrypted.rs and client/encrypted.rs in the handling of CHANNEL_WINDOW_ADJUST. ``` let amount = map_err!(u32::decode(&mut r))?; ... channel.recipient_window_size += amount; ``` It could be replaced with something like ``` if let Some(ref mut channel) = enc.channels.get_mut(&channel_num) { // rfc 4254: The window MUST NOT be increased above 2^32 - 1 bytes. new_size = channel.recipient_window_size.saturating_add(amount); channel.recipient_window_size = new_size; } ... ``` ### PoC A customized client code would be required to send a message with a big value like u32_max. Not done yet. ### Impact This problem seems only critical to a server. One user can crash the server, which might take down the service. A malicious server could also crash a single client, but this seems not very critical.

Metadata

Created: 2025-08-04T20:28:36Z
Modified: 2025-08-05T17:11:17Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-h5rc-j5f5-3gcm/GHSA-h5rc-j5f5-3gcm.json
CWE IDs: ["CWE-190"]
Alternative ID: GHSA-h5rc-j5f5-3gcm
Finding: F111
Auto approve: 1