CVE-2025-4658 – github.com/openpubkey/opkssh

Package

Manager: go
Name: github.com/openpubkey/opkssh
Vulnerable Version: >=0 <0.5.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

EPSS: 0.00042 pctl0.11956

Details

OPKSSH Vulnerable to Authentication Bypass ### Impact Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification. As OPKSSH depends on the OpenPubkey library for authentication, this vulnerability in OpenPubkey also applies to OPKSSH versions prior to 0.5.0 and would allow an attacker to bypass OPKSSH authentication. ### Patches The vulnerability does not exist in more recent versions of OPKSSH. his only impacts OPKSSH when used to verify ssh keys on a server, the OPKSSH client is unaffected. To remediate upgrade to a version of OPKSSH v0.5.0 or greater. To determine if you are vulnerable run on your server: ```bash opkssh --version ``` If the version is less than 0.5.0 you should upgrade. To upgrade to the latest version run: ```bash wget -qO- "https://raw.githubusercontent.com/openpubkey/opkssh/main/scripts/install-linux.sh" | sudo bash ``` ### References [CVE-2025-4658](https://www.cve.org/CVERecord?id=CVE-2025-4658) The upstream vulnerability in OpenPubkey is [CVE-2025-3757](https://www.cve.org/CVERecord?id=CVE-2025-3757) and has the security advisory https://github.com/openpubkey/openpubkey/security/advisories/GHSA-537f-gxgm-3jjq

Metadata

Created: 2025-05-13T21:34:58Z
Modified: 2025-05-13T21:34:58Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-56wx-66px-9j66/GHSA-56wx-66px-9j66.json
CWE IDs: ["CWE-305"]
Alternative ID: GHSA-56wx-66px-9j66
Finding: F184
Auto approve: 1