CVE-2025-4658
published 2025-05-13CVE-2025-4658: Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification. As OPKSSH…
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.29%
21.2th percentile
Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification. As OPKSSH depends on the OpenPubkey library for authentication, this vulnerability in OpenPubkey also applies to OPKSSH versions prior to 0.5.0 and would allow an attacker to bypass OPKSSH authentication.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | openpubkey_opkssh | >= 0 < 0.5.0 | 0.5.0 |
| openpubkey | openpubkey | < 0.10.0 | 0.10.0 |
| openpubkey | opkssh | < 0.5.0 | 0.5.0 |
| opkssh | opkssh | 0.1.0 – 0.4.0 | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa9.3CRITICAL
osv9.3CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
OPKSSH Vulnerable to Authentication Bypass in github.com/openpubkey/opkssh
osv·2025-05-15
CVE-2025-4658 OPKSSH Vulnerable to Authentication Bypass in github.com/openpubkey/opkssh
OPKSSH Vulnerable to Authentication Bypass in github.com/openpubkey/opkssh
OPKSSH Vulnerable to Authentication Bypass in github.com/openpubkey/opkssh
GHSA
OPKSSH Vulnerable to Authentication Bypass
ghsa·2025-05-13·CVSS 9.3
CVE-2025-4658 [CRITICAL] CWE-305 OPKSSH Vulnerable to Authentication Bypass
OPKSSH Vulnerable to Authentication Bypass
### Impact
Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification. As OPKSSH depends on the OpenPubkey library for authentication, this vulnerability in OpenPubkey also applies to OPKSSH versions prior to 0.5.0 and would allow an attacker to bypass OPKSSH authentication.
### Patches
The vulnerability does not exist in more recent versions of OPKSSH. his only impacts OPKSSH when used to verify ssh keys on a server, the OPKSSH client is unaffected. To remediate upgrade to a version of OPKSSH v0.5.0 or greater.
To determine if you are vulnerable run on your server:
```bash
opkssh --version
```
If the version is less than 0.5.0 you should upgrade. To upg
OSV
CVE-2025-4658: Versions of OpenPubkey library prior to 0
osv·2025-05-13·CVSS 9.3
CVE-2025-4658 [CRITICAL] CVE-2025-4658: Versions of OpenPubkey library prior to 0
Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification. As OPKSSH depends on the OpenPubkey library for authentication, this vulnerability in OpenPubkey also applies to OPKSSH versions prior to 0.5.0 and would allow an attacker to bypass OPKSSH authentication.
OSV
OPKSSH Vulnerable to Authentication Bypass
osv·2025-05-13·CVSS 9.3
CVE-2025-4658 [CRITICAL] OPKSSH Vulnerable to Authentication Bypass
OPKSSH Vulnerable to Authentication Bypass
### Impact
Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification. As OPKSSH depends on the OpenPubkey library for authentication, this vulnerability in OpenPubkey also applies to OPKSSH versions prior to 0.5.0 and would allow an attacker to bypass OPKSSH authentication.
### Patches
The vulnerability does not exist in more recent versions of OPKSSH. his only impacts OPKSSH when used to verify ssh keys on a server, the OPKSSH client is unaffected. To remediate upgrade to a version of OPKSSH v0.5.0 or greater.
To determine if you are vulnerable run on your server:
```bash
opkssh --version
```
If the version is less than 0.5.0 you should upgrade. To upg
No detection rules found.
No public exploits indexed.
2025-05-13
Published