CVE-2025-5449

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-5449
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-5449.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-5449
Downstream
Published
2025-07-25T18:15:26Z
Modified
2025-07-29T14:14:55Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
[none]
Details

A flaw was found in the SFTP server message decoding logic of libssh. The issue occurs due to an incorrect packet length check that allows an integer overflow when handling large payload sizes on 32-bit systems. This issue leads to failed memory allocation and causes the server process to crash, resulting in a denial of service.

References

Affected packages

Debian:13 / libssh

Package

Name
libssh
Purl
pkg:deb/debian/libssh?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.11.2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}