CVE-2025-4658: OPKSSH Vulnerable to Authentication Bypass

May 13, 2025

Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification. As OPKSSH depends on the OpenPubkey library for authentication, this vulnerability in OpenPubkey also applies to OPKSSH versions prior to 0.5.0 and would allow an attacker to bypass OPKSSH authentication.

References

github.com/advisories/GHSA-56wx-66px-9j66
github.com/openpubkey/opkssh
github.com/openpubkey/opkssh/security/advisories/GHSA-56wx-66px-9j66
nvd.nist.gov/vuln/detail/CVE-2025-4658

Code Behaviors & Features

Detect and mitigate CVE-2025-4658 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →