SSH
CVE-2025-67511
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
Cybersecurity AI (CAI) is an open-source framework for building and deploying AI-powered offensive and defensive automation. Versions 0.5.9 and below are vulnerable to Command Injection through the run_ssh_command_with_credentials() function, which is available to AI agents. Only password and command inputs are escaped in run_ssh_command_with_credentials to prevent shell injection; while username, host and port values are injectable. This issue does not have a fix at the time of publication.
AnalysisAI
A critical command injection vulnerability exists in the Cybersecurity AI (CAI) framework versions 0.5.9 and below, allowing attackers to execute arbitrary commands through unsanitized SSH parameters (username, host, port) in the run_ssh_command_with_credentials() function accessible to AI agents. The vulnerability has a publicly available proof-of-concept exploit and enables remote code execution with potential for complete system compromise, though real-world exploitation probability remains relatively low at 0.12% EPSS score despite the high CVSS rating of 9.6.
Technical ContextAI
The Cybersecurity AI (CAI) framework, identified as cpe:2.3:a:aliasrobotics:cybersecurity_ai:*:*:*:*:*:*:*:*, is an open-source platform for building AI-powered security automation tools. The vulnerability stems from CWE-77 (Improper Neutralization of Special Elements used in a Command), where the run_ssh_command_with_credentials() function only escapes password and command inputs but fails to sanitize username, host, and port parameters before passing them to shell commands. This allows attackers to inject shell metacharacters and execute arbitrary commands when these parameters are processed by the underlying SSH client.
RemediationAI
At the time of publication, no official patch is available from the vendor despite a commit (https://github.com/aliasrobotics/cai/commit/09ccb6e0baccf56c40e6cb429c698750843a999c) being referenced. Organizations should immediately disable or restrict access to the run_ssh_command_with_credentials() function in their CAI deployments, implement input validation for all SSH parameters (username, host, port) before processing, and consider sandboxing AI agent operations to limit potential damage. Monitor the GitHub advisory at https://github.com/aliasrobotics/cai/security/advisories/GHSA-4c65-9gqf-4w8h for updates on patch availability and apply immediately when released.
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi
GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of
freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypass authentication via a crafted session, as demons
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. Rated medium se
sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processin
The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password a
Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to
The SSH USERAUTH CHANGE REQUEST feature in SSH Tectia Server 6.0.4 through 6.0.20, 6.1.0 through 6.1.12, 6.2.0 through 6
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-4c65-9gqf-4w8h