Login Sign Up

CVE-2020-26301

7.5 HIGH
Remote Code Execution

📋 TL;DR

CVE-2020-26301 is a command injection vulnerability in the ssh2 npm package that allows remote code execution on Windows systems. Attackers can execute arbitrary commands if untrusted input reaches the vulnerable method. Only applications using ssh2 client/server modules on Windows are affected.

💻 Affected Systems

Products:
  • ssh2 npm package
Versions: All versions before 1.4.0
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Windows systems. Linux/macOS systems are not vulnerable. Requires untrusted input to reach the vulnerable method.

📦 What is this software?

Ssh2 by Ssh2 Project

View all CVEs affecting Ssh2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Limited command execution within the context of the vulnerable application, potentially leading to data exposure or further exploitation.

🟢

If Mitigated

No impact if proper input validation is implemented or if the system is not Windows-based.

🌐 Internet-Facing: MEDIUM - Requires specific conditions: Windows OS, vulnerable ssh2 usage with untrusted input, and network exposure.
🏢 Internal Only: MEDIUM - Same technical risk but limited to internal attackers or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires attacker-controlled input to reach the vulnerable method. Public proof-of-concept exists in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.0 and later

Vendor Advisory: https://securitylab.github.com/advisories/GHSL-2020-123-mscdex-ssh2/

Restart Required: Yes

Instructions:

1. Update ssh2 package to version 1.4.0 or later using 'npm update ssh2'. 2. Restart any applications using ssh2. 3. Verify the update with 'npm list ssh2'.

🔧 Temporary Workarounds

Input Validation

all

Implement strict input validation and sanitization for any user input passed to ssh2 methods.

Platform Migration

windows

Move affected applications to Linux or macOS where this vulnerability does not exist.

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Windows systems using vulnerable ssh2 versions.
  • Deploy application-level firewalls or WAF rules to detect and block command injection attempts.

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list ssh2' to see if version is below 1.4.0 on Windows systems.

Check Version:

npm list ssh2 | grep ssh2

Verify Fix Applied:

Confirm ssh2 version is 1.4.0 or higher with 'npm list ssh2' and verify no command injection occurs in testing.

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution patterns in application logs
  • Error messages related to ssh2 command processing

Network Indicators:

  • Suspicious SSH connections with unusual payloads
  • Unexpected outbound connections from ssh2 applications

SIEM Query:

source="application_logs" AND "ssh2" AND ("command injection" OR "unexpected execution")

📊 Metadata

CVE ID: CVE-2020-26301
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N
CWE: CWE-78
Published: September 20, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-26301, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)