OPKSSH, Authentication Bypass, CVE-2025-4658 (Critical)

By /

Listen to this Post

How the CVE Works:

CVE-2025-4658 exploits a flaw in OpenPubkey’s JWS (JSON Web Signature) verification within OPKSSH. Attackers craft malicious JWS tokens with manipulated signatures that bypass validation checks. Since OPKSSH relies on OpenPubkey for SSH key authentication, this allows unauthorized access to servers running vulnerable versions (pre-0.5.0). The vulnerability stems from improper signature parsing in OpenPubkey (CVE-2025-3757), where forged tokens are accepted as valid.

DailyCVE Form:

Platform: OPKSSH
Version: <0.5.0
Vulnerability: Auth Bypass
Severity: Critical
Date: May 13, 2025

What Undercode Say:

Exploitation:

  1. Craft a malicious JWS token with a spoofed signature.
  2. Use the token to authenticate via OPKSSH on a vulnerable server.

3. Bypass SSH key verification, gaining unauthorized access.

Detection:

opksshd --version | grep "0.[0-4].\d"

Mitigation:

Upgrade OPKSSH:

sudo apt-get update && sudo apt-get install opkssh>=0.5.0

Code Analysis:

  • Vulnerable JWS parsing in OpenPubkey: 
    func VerifyJWS(token string) error {
// Flawed logic allows malformed sigs
if strings.Contains(token, "alg:none") {
return nil // Bypass
}
}

Protection:

1. Enforce strict JWS header validation:

if header.Alg == "none" {
return errors.New("invalid alg")
}

2. Implement SSH certificate pinning.

Network Controls:

Block unauthenticated SSH attempts
iptables -A INPUT -p tcp --dport 22 ! --syn -j DROP

References:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top