Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-h5rc-j5f5-3gcm

Опубликовано: 04 авг. 2025
Источник: github
Github: Прошло ревью
CVSS3: 6.5

Описание

russh is missing overflow checks during channel windows adjust

Summary

The channel window adjust message of the SSH protocol is used to track the free space in the receive buffer of the other side of a channel. The current implementation takes the value from the message and adds it to an internal state value. This can result in a integer overflow. If the Rust code is compiled with overflow checks, it will panic. A malicious client can crash a server.

Details

According https://datatracker.ietf.org/doc/html/rfc4254#section-5.2, The value must not overflow. The incorrect handling is done in server/encrypted.rs and client/encrypted.rs in the handling of CHANNEL_WINDOW_ADJUST.

let amount = map_err!(u32::decode(&mut r))?; ... channel.recipient_window_size += amount;

It could be replaced with something like

if let Some(ref mut channel) = enc.channels.get_mut(&channel_num) { // rfc 4254: The window MUST NOT be increased above 2^32 - 1 bytes. new_size = channel.recipient_window_size.saturating_add(amount); channel.recipient_window_size = new_size; } ...

PoC

A customized client code would be required to send a message with a big value like u32_max. Not done yet.

Impact

This problem seems only critical to a server. One user can crash the server, which might take down the service. A malicious server could also crash a single client, but this seems not very critical.

Ссылки

Пакеты

Наименование

russh

rust
Затронутые версииВерсия исправления

< 0.54.1

0.54.1

EPSS

Процентиль: 24%
0.00081
Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2025-54804

Дефекты

CWE-190

Связанные уязвимости

redhat логотип

CVE-2025-54804

CVSS3: 6.5
redhat
4 месяца назад

Russh is a Rust SSH client & server library. In versions 0.54.0 and below, the channel window adjust message of the SSH protocol is used to track the free space in the receive buffer of the other side of a channel. The current implementation takes the value from the message and adds it to an internal state value. This can result in a integer overflow. If the Rust code is compiled with overflow checks, it will panic. A malicious client can crash a server. This is fixed in version 0.54.1.

nvd логотип

CVE-2025-54804

CVSS3: 6.5
nvd
4 месяца назад

Russh is a Rust SSH client & server library. In versions 0.54.0 and below, the channel window adjust message of the SSH protocol is used to track the free space in the receive buffer of the other side of a channel. The current implementation takes the value from the message and adds it to an internal state value. This can result in a integer overflow. If the Rust code is compiled with overflow checks, it will panic. A malicious client can crash a server. This is fixed in version 0.54.1.

EPSS

Процентиль: 24%
0.00081
Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2025-54804

Дефекты

CWE-190