critical
9.3
CWE
305
EPSS
0.054%
Advisory Published
Advisory Published
Updated

CVE-2025-4658: Authentication Bypass in OPKSSH

First published: Tue May 13 2025(Updated: )

### Impact Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification. As OPKSSH depends on the OpenPubkey library for authentication, this vulnerability in OpenPubkey also applies to OPKSSH versions prior to 0.5.0 and would allow an attacker to bypass OPKSSH authentication. ### Patches The vulnerability does not exist in more recent versions of OPKSSH. his only impacts OPKSSH when used to verify ssh keys on a server, the OPKSSH client is unaffected. To remediate upgrade to a version of OPKSSH v0.5.0 or greater. To determine if you are vulnerable run on your server: ```bash opkssh --version ``` If the version is less than 0.5.0 you should upgrade. To upgrade to the latest version run: ```bash wget -qO- "https://raw.githubusercontent.com/openpubkey/opkssh/main/scripts/install-linux.sh" | sudo bash ``` ### References [CVE-2025-4658](https://www.cve.org/CVERecord?id=CVE-2025-4658) The upstream vulnerability in OpenPubkey is [CVE-2025-3757](https://www.cve.org/CVERecord?id=CVE-2025-3757) and has the security advisory https://github.com/openpubkey/openpubkey/security/advisories/GHSA-537f-gxgm-3jjq

Credit: cna@cloudflare.com

Affected SoftwareAffected VersionHow to fix
OpenPubkey<0.10.0
OPKSSH<0.5.0
go/github.com/openpubkey/opkssh<0.5.0
0.5.0

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2025-4658?

    CVE-2025-4658 has a high severity rating due to its potential to allow unauthorized bypassing of signature verification.

  • How do I fix CVE-2025-4658?

    To fix CVE-2025-4658, upgrade the OpenPubkey library to version 0.10.0 or later and ensure OPKSSH is updated to version 0.5.0 or later.

  • What versions are affected by CVE-2025-4658?

    CVE-2025-4658 affects OpenPubkey versions prior to 0.10.0 and OPKSSH versions prior to 0.5.0.

  • What is the impact of CVE-2025-4658 on my application?

    The impact of CVE-2025-4658 can lead to unauthorized access as it allows crafted JWS to bypass signature verification.

  • Is CVE-2025-4658 exploitable remotely?

    Yes, CVE-2025-4658 is exploitable remotely, making systems that utilize vulnerable versions of OpenPubkey and OPKSSH particularly at risk.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203