CVE-2025-66406
published 2025-12-03CVE-2025-66406: Step CA is an online certificate authority for secure, automated certificate management for DevOps. Prior to 0.29.0, there is an improper authorization check…
PriorityP424medium5CVSS 3.1
AVNACHPRHUINSUCNILAH
EPSS
0.13%
3.2th percentile
Step CA is an online certificate authority for secure, automated certificate management for DevOps. Prior to 0.29.0, there is an improper authorization check for SSH certificate revocation. This affects deployments configured with the SSHPOP provisioner. This vulnerability is fixed in 0.29.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | smallstep_certificates | >= 0 < 0.29.0 | 0.29.0 |
| smallstep | certificates | < 0.29.0 | 0.29.0 |
CVSS provenance
nvdv3.15.0MEDIUMCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
step-ca Has Improper Authorization Check for SSH Certificate Revocation in github.com/smallstep/certificates
osv·2025-12-08
CVE-2025-66406 step-ca Has Improper Authorization Check for SSH Certificate Revocation in github.com/smallstep/certificates
step-ca Has Improper Authorization Check for SSH Certificate Revocation in github.com/smallstep/certificates
step-ca Has Improper Authorization Check for SSH Certificate Revocation in github.com/smallstep/certificates
OSV
step-ca Has Improper Authorization Check for SSH Certificate Revocation
osv·2025-12-03
CVE-2025-66406 [MEDIUM] step-ca Has Improper Authorization Check for SSH Certificate Revocation
step-ca Has Improper Authorization Check for SSH Certificate Revocation
## Summary
An authorized attacker can bypass authorization checks and revoke any SSH certificate issued by Step CA by using a valid revocation token.
## Details
Step CA users can obtain SSH certificates from a few provisioners. The SSHPOP provisioner allows revocation of the SSH certificate (preventing future certificate renewals) using a token. Due to a missing validity check, this token could be used to revoke any SSH certificate issued by the CA.
To create a token, an attacker must have access to the CA endpoint and a valid SSH certificate, meaning they were already authorized to obtain an SSH certificate. The attacker must also know the serial number of the certificate they want to revoke.
## Impact
There is no
GHSA
step-ca Has Improper Authorization Check for SSH Certificate Revocation
ghsa·2025-12-03
CVE-2025-66406 [MEDIUM] CWE-285 step-ca Has Improper Authorization Check for SSH Certificate Revocation
step-ca Has Improper Authorization Check for SSH Certificate Revocation
## Summary
An authorized attacker can bypass authorization checks and revoke any SSH certificate issued by Step CA by using a valid revocation token.
## Details
Step CA users can obtain SSH certificates from a few provisioners. The SSHPOP provisioner allows revocation of the SSH certificate (preventing future certificate renewals) using a token. Due to a missing validity check, this token could be used to revoke any SSH certificate issued by the CA.
To create a token, an attacker must have access to the CA endpoint and a valid SSH certificate, meaning they were already authorized to obtain an SSH certificate. The attacker must also know the serial number of the certificate they want to revoke.
## Impact
There is no
Red Hat
github.com/smallstep/certificates: Step CA: Denial of Service via improper SSH certificate revocation authorization
vendor_redhat·2025-12-03·CVSS 5.0
CVE-2025-66406 [MEDIUM] CWE-863 github.com/smallstep/certificates: Step CA: Denial of Service via improper SSH certificate revocation authorization
github.com/smallstep/certificates: Step CA: Denial of Service via improper SSH certificate revocation authorization
Step CA is an online certificate authority for secure, automated certificate management for DevOps. Prior to 0.29.0, there is an improper authorization check for SSH certificate revocation. This affects deployments configured with the SSHPOP provisioner. This vulnerability is fixed in 0.29.0.
A flaw was found in Step CA, an online certificate authority. This vulnerability allows a highly privileged attacker to improperly revoke SSH certificates. Such unauthorized revocation can disrupt services, leading to a denial of service for systems configured with the SSHPOP provisioner that rely on these certificates for secure access.
Statement: This vulnerability is rated Moderate
No detection rules found.
No public exploits indexed.
2025-12-03
Published