Skip to main content

AsyncSSH CVE-2026-45309

MEDIUM
Path Traversal (CWE-22)
2026-05-27 https://github.com/ronf/asyncssh GHSA-g794-3fmp-753h
Share

Severity by source

SUSE PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Primary rating from SUSE · only source for this CVE.

Lifecycle Timeline

2
Source Code Evidence Fetched
May 27, 2026 - 22:40 vuln.today
Analysis Generated
May 27, 2026 - 22:40 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 14 pypi packages depend on asyncssh (6 direct, 8 indirect)

Ecosystem-wide dependent count for version 2.22.0.

DescriptionCVE.org

Summary

AsyncSSH 2.22.0 expands the OpenSSH-compatible AuthorizedKeysFile %u token with the raw SSH username during pre-authentication server config reload. A server configured with a documented per-user key pattern such as AuthorizedKeysFile authorized_keys/%u can be made to read an authorized-keys file outside the intended directory when the SSH username contains path traversal segments. If the attacker can place or reference a readable authorized-keys-format file containing their public key, the attacker can authenticate over SSH as the traversal username.

Affected Product

  • Package: asyncssh
  • Ecosystem: pip
  • Affected versions: confirmed on 2.22.0; exact lower bound not finalized
  • Tested version: 2.22.0
  • Audit commit/tag: tag v2.22.0, commit af5a81e669633d83d535163f93b6bf3f957c9238
  • PyPI sdist SHA256: c3ce72b01be4f97b40e62844dd384227e5ff5a401a3793007c42f86a5c8eb537

Vulnerability Details

  • CWE: CWE-22: Improper Limitation of a Pathname to a Restricted Directory
  • Component: AsyncSSH server config reload and public-key authentication (asyncssh/config.py, asyncssh/connection.py, asyncssh/auth_keys.py, asyncssh/misc.py)
  • Root cause: %u in AuthorizedKeysFile is expanded from the remote username without rejecting path separators or .. segments, and the resulting path is opened without constraining it to the intended authorized-keys directory.
  • Security boundary violated: the configured authorized-keys directory and public-key authentication trust boundary.
  • Direct impact: public-key authentication succeeds using an attacker-selected authorized-keys file outside the intended directory.
  • Chain impact, if any: none claimed; direct authentication impact is primary.

Attack Preconditions

  • The AsyncSSH server uses a config or equivalent pattern where AuthorizedKeysFile contains %u, for example AuthorizedKeysFile authorized_keys/%u.
  • Public-key authentication is enabled.
  • The attacker can place or reference a readable authorized-keys-format file outside the intended directory, such as a file in a world-writable or application-writable location.
  • The application does not separately reject usernames containing /, \, or .. before AsyncSSH uses the username for key-file selection.

Reproduction

The run-scoped evidence contains a safe localhost proof:

  1. Start the proof harness saved at

harness_app.py

  1. Run

exploit_proof.py through run_proof.sh

  1. The harness creates sshd_config with AuthorizedKeysFile authorized_keys/%u, writes the attacker's public key to a file outside authorized_keys/, starts a real AsyncSSH server, and attempts two SSH logins.
  2. Expected result: the normal username victim fails, while the traversal username authenticates with the same attacker key.

Observed proof output:

text
[CONTROL] username=victim success=False
[ATTACK] username=../../../asyncssh-proof-exploit-proof-8b2bd23daeeb.pub success=True
[ATTACK] output=AUTH_BYPASS_SUCCESS username=../../../asyncssh-proof-exploit-proof-8b2bd23daeeb.pub
PASS: traversal username authenticated with attacker-controlled authorized_keys file

AnalysisAI

Path traversal in AsyncSSH 2.22.0's AuthorizedKeysFile %u token expansion allows an unauthenticated remote attacker to bypass SSH public-key authentication by supplying a crafted username containing directory traversal sequences. Servers configured with per-user key patterns such as AuthorizedKeysFile authorized_keys/%u are vulnerable when an attacker can place or reference a readable authorized-keys-format file at a filesystem path reachable by traversal from the configured directory. Publicly available exploit code exists demonstrating successful authentication bypass; KEV status is not confirmed at time of analysis.

Technical ContextAI

AsyncSSH is a Python asyncio-based SSH protocol library. It implements OpenSSH-compatible server configuration directives including AuthorizedKeysFile, which supports token substitution for per-user key file resolution. The %u token is intended to be replaced with the authenticated username to locate that user's authorized keys. The vulnerability (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) exists because the raw SSH username supplied during the pre-authentication handshake is substituted for %u in asyncssh/config.py without rejecting or stripping path separators (/) or parent-directory references (..), and the resulting path is opened in asyncssh/auth_keys.py without constraining it to the intended authorized-keys directory. The affected package is pkg:pip/asyncssh, confirmed at commit af5a81e669633d83d535163f93b6bf3f957c9238 (tag v2.22.0). The security boundary violated is the trust relationship between the configured authorized-keys directory and the SSH server's key lookup mechanism.

RemediationAI

Upgrade to AsyncSSH 2.23.0, which is the vendor-released patch per GHSA-g794-3fmp-753h (https://github.com/ronf/asyncssh/security/advisories/GHSA-g794-3fmp-753h). If immediate upgrade is not possible, apply one or more compensating controls: (1) Remove %u from all AuthorizedKeysFile directives and replace with static per-user absolute paths - this eliminates the token expansion entirely but requires manual configuration for each user and will break dynamic user provisioning workflows. (2) Validate and reject SSH usernames containing /, \, or .. at the application layer before AsyncSSH processes them; note this requires the application to intercept usernames in the pre-authentication phase, which may necessitate custom server-side wrappers and carries risk of incomplete filtering if encoding variants are possible. (3) Harden the filesystem so no attacker-writable or world-writable files exist at any path reachable by traversal from the authorized-keys directory - this is a defense-in-depth measure and does not eliminate the vulnerability, only raises the bar for the file-placement precondition. Patch version 2.23.0 is independently confirmed by PyPI package data and the maintainer advisory.

More in SSH

View all
CVE-2014-6271 CRITICAL POC
9.8 Sep 24

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which

CVE-2014-6278 HIGH POC
8.8 Sep 30

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi

CVE-2014-7169 CRITICAL POC
9.8 Sep 25

GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of

CVE-2012-6066 CRITICAL POC
9.3 Dec 04

freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypass authentication via a crafted session, as demons

CVE-2014-6277 CRITICAL POC
10.0 Sep 27

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi

CVE-2023-25136 MEDIUM POC
6.5 Feb 03

OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. Rated medium se

CVE-2016-6210 MEDIUM POC
5.9 Feb 13

sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static

CVE-2015-5600 HIGH POC
8.1 Aug 03

The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processin

CVE-2016-6515 HIGH POC
7.5 Aug 07

The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password a

CVE-2024-6387 HIGH POC
8.1 Jul 01

Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to

CVE-2012-5975 CRITICAL POC
9.3 Dec 04

The SSH USERAUTH CHANGE REQUEST feature in SSH Tectia Server 6.0.4 through 6.0.20, 6.1.0 through 6.1.12, 6.2.0 through 6

CVE-2023-48795 MEDIUM POC
5.9 Dec 18

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot

Vendor StatusVendor

SUSE

Severity: Moderate

Share

CVE-2026-45309 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy