Fluid Attacks Database

Description

A vulnerability was found in libssh, where an uninitialized variable exists under certain conditions in the privatekey_from_file() function. This flaw can be triggered if the file specified by the filename doesn't exist and may lead to possible signing failures or heap corruption.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	libssh	>=0 <0.11.2-1	0.11.2-1
debian 11	libssh	=0.9.5-1 \|\| =0.9.5-1+deb11u1 \|\| =0.9.6-1 \|\| =0.9.6-2 \|\| =0.9.7-0+deb11u1 \|\| =0.9.8-0+deb11u1 \|\| >=0 <0.9.8-0+deb11u2	0.9.8-0+deb11u2
debian 12	libssh	=0.10.5-2 \|\| =0.10.5-3 \|\| =0.10.5-3+hurd.1 \|\| =0.10.6-0+deb12u1 \|\| >=0 <0.10.6-0+deb12u2	0.10.6-0+deb12u2
debian 13	libssh	>=0 <0.11.2-1	0.11.2-1
rpm rhel6	libssh2	-	-
rpm rhel7	libssh2	-	-
rpm rhel10	libssh	-	-
rpm rhel8	libssh	-	-
rpm rhel9	libssh	<0:0.10.4-18.el9	0:0.10.4-18.el9

Aliases

1. CVE-2025-48782. NVD-2025-48783. OSV-DEBIAN-2025-48784. OSV-2025-48785. SECURITY-TRACKER-CVE-2025-4878

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.