CVE-2026-45309
HIGH
8.2
CVSS 4.0
Description
AsyncSSH is a Python package which provides an asynchronous client and server implementation of the SSHv2 protocol on top of the Python asyncio framework. Prior to 2.23.0, AsyncSSH expands the OpenSSH-compatible AuthorizedKeysFile %u token in asyncssh/config.py, asyncssh/connection.py, asyncssh/auth_keys.py, and asyncssh/misc.py with the raw SSH username during pre-authentication server config reload, allowing a server configured with AuthorizedKeysFile authorized_keys/%u to read an authorized-keys file outside the intended directory when the SSH username contains /, \, or .. path traversal segments and authenticate with an attacker-selected key file. This issue is fixed in version 2.23.0.
Metadata
Severity & Metrics
8.2
HIGH CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| ronf | asyncssh | — | < 2.23.0 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| CWE-22 | cna | CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
CVSS scores (1)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 8.2 | HIGH | 4.0 | cna | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
References (3)
- https://github.com/ronf/asyncssh/security/advisories/GHSA-g794-3fmp-753h https://github.com/ronf/asyncssh/security/advisories/GHSA-g794-3fmp-753h
- https://github.com/ronf/asyncssh/commit/2af2382cce946c959a378a62f257af253dc4ab51 https://github.com/ronf/asyncssh/commit/2af2382cce946c959a378a62f257af253dc4ab51
- https://github.com/ronf/asyncssh/commit/3d515ba9ba0cd9990d248bdf62bcf05d51261a88 https://github.com/ronf/asyncssh/commit/3d515ba9ba0cd9990d248bdf62bcf05d51261a88