CVE-2025-4658

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-4658

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-4658.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-4658

Aliases

Related

openSUSE-SU-2025:15135-1

Published

2025-05-13T17:16:04Z

Modified

2025-05-23T09:47:55.404550Z

Downstream

openSUSE-SU-2025:15135-1

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification. As OPKSSH depends on the OpenPubkey library for authentication, this vulnerability in OpenPubkey also applies to OPKSSH versions prior to 0.5.0 and would allow an attacker to bypass OPKSSH authentication.

References

https://github.com/openpubkey/opkssh

Affected packages

Git / github.com/openpubkey/openpubkey

Affected ranges

Type: GIT
Repo: https://github.com/openpubkey/openpubkey
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

d6907a99021f102d115fd1f2d40c5fa973975256

Type: GIT
Repo: https://github.com/openpubkey/opkssh
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

9d5af7a074c2e2d84b0b154da41b476d8f2b4e4e

Affected versions

v0.*

v0.1.0

v0.2.0

v0.2.1

v0.2.2

v0.3.0

v0.4.0

v0.5.0

v0.5.1

v0.5.2

v0.6.0

v0.7.0

v0.7.1

v0.7.2

v0.7.3

v0.8.0

v0.9.0