CVE-2025-4658 – This vulnerability allows attackers to bypass s... (How to Fix)

Q: How do I fix CVE-2025-4658?

1. Update OpenPubkey library to version 0.10.0 or higher. 2. Update OPKSSH to version 0.5.0 or higher. 3. Restart any services using these libraries.

Q: What is the severity of CVE-2025-4658?

CVE-2025-4658 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to bypass signature verification in OpenPubkey library by crafting malicious JWS tokens. This authentication bypass also affects OPKSSH, potentially allowing unauthorized SSH access. Organizations using OpenPubkey library versions before 0.10.0 or OPKSSH versions before 0.5.0 are affected.

📋 TL;DR

This vulnerability allows attackers to bypass signature verification in OpenPubkey library by crafting malicious JWS tokens. This authentication bypass also affects OPKSSH, potentially allowing unauthorized SSH access. Organizations using OpenPubkey library versions before 0.10.0 or OPKSSH versions before 0.5.0 are affected.

💻 Affected Systems

Products:

OpenPubkey library
OPKSSH

Versions: OpenPubkey < 0.10.0, OPKSSH < 0.5.0

Operating Systems: All platforms running affected software

Default Config Vulnerable: ⚠️ Yes

Notes: Any system using OpenPubkey for JWS signature verification or OPKSSH for SSH authentication is vulnerable by default.

📦 What is this software?

Openpubkey by Openpubkey

View all CVEs affecting Openpubkey →

Opkssh by Openpubkey

View all CVEs affecting Opkssh →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of SSH authentication allowing unauthorized access to all systems using vulnerable OPKSSH configurations, potentially leading to full system takeover and data exfiltration.

🟠

Likely Case

Unauthorized SSH access to vulnerable systems, enabling privilege escalation, lateral movement, and data theft.

🟢

If Mitigated

Limited impact if systems are behind firewalls, use additional authentication factors, or have strict network segmentation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires crafting malicious JWS tokens but does not require authentication to the target system.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: OpenPubkey 0.10.0+, OPKSSH 0.5.0+

Vendor Advisory: https://github.com/openpubkey/opkssh

Restart Required: Yes

Instructions:

1. Update OpenPubkey library to version 0.10.0 or higher. 2. Update OPKSSH to version 0.5.0 or higher. 3. Restart any services using these libraries.

🔧 Temporary Workarounds

Disable OPKSSH authentication

all

Temporarily disable OPKSSH authentication and use alternative SSH authentication methods

# Edit SSH configuration to disable OPKSSH
# Use traditional SSH key authentication instead

🧯 If You Can't Patch

Implement network segmentation to isolate vulnerable systems
Enable multi-factor authentication for SSH access

🔍 How to Verify

Check if Vulnerable:

Check installed versions: pip show openpubkey for Python installations or check package manager for system packages

Check Version:

pip show openpubkey | grep Version

Verify Fix Applied:

Verify OpenPubkey version is >=0.10.0 and OPKSSH version is >=0.5.0

📡 Detection & Monitoring

Log Indicators:

Failed SSH authentication attempts followed by successful OPKSSH authentication
Unusual SSH connections from unexpected sources

Network Indicators:

SSH connections using OPKSSH protocol from unauthorized IPs

SIEM Query:

source="ssh.log" AND (opkssh OR openpubkey) AND auth_success=true

📊 Metadata

CVE ID: CVE-2025-4658

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-305

EPSS Score: 0.05% exploit probability (14.7th percentile)

Published: May 13, 2025

Last Updated: May 22, 2025

🔗 References

https://github.com/openpubkey/opkssh Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-4658, you might also want to check these: