ghsa-h5rc-j5f5-3gcm
Vulnerability from github
Published
2025-08-04 20:28
Modified
2025-08-05 17:11
Summary
russh is missing overflow checks during channel windows adjust
Details

Summary

The channel window adjust message of the SSH protocol is used to track the free space in the receive buffer of the other side of a channel. The current implementation takes the value from the message and adds it to an internal state value. This can result in a integer overflow. If the Rust code is compiled with overflow checks, it will panic. A malicious client can crash a server.

Details

According https://datatracker.ietf.org/doc/html/rfc4254#section-5.2, The value must not overflow. The incorrect handling is done in server/encrypted.rs and client/encrypted.rs in the handling of CHANNEL_WINDOW_ADJUST.

let amount = map_err!(u32::decode(&mut r))?; ... channel.recipient_window_size += amount;

It could be replaced with something like

if let Some(ref mut channel) = enc.channels.get_mut(&channel_num) { // rfc 4254: The window MUST NOT be increased above 2^32 - 1 bytes. new_size = channel.recipient_window_size.saturating_add(amount); channel.recipient_window_size = new_size; } ...

PoC

A customized client code would be required to send a message with a big value like u32_max. Not done yet.

Impact

This problem seems only critical to a server. One user can crash the server, which might take down the service. A malicious server could also crash a single client, but this seems not very critical.

Show details on source website


{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "russh"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.54.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54804"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-190"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-04T20:28:36Z",
    "nvd_published_at": "2025-08-05T01:15:42Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe channel window adjust message of the SSH protocol is used to track the free space in the receive buffer of the other side of a channel. The current implementation takes the value from the message and adds it to an internal state value. This can result in a integer overflow. If the Rust code is compiled with overflow checks, it will panic.  A malicious  client can crash a server. \n\n### Details\nAccording https://datatracker.ietf.org/doc/html/rfc4254#section-5.2, The value must not overflow. \nThe incorrect handling is done in server/encrypted.rs and client/encrypted.rs in the handling of CHANNEL_WINDOW_ADJUST. \n\n```\nlet amount = map_err!(u32::decode(\u0026mut r))?;\n...\nchannel.recipient_window_size += amount;\n```\n\nIt could be replaced with something like \n\n```\n  if let Some(ref mut channel) = enc.channels.get_mut(\u0026channel_num) {\n                        // rfc 4254: The window MUST NOT be increased above 2^32 - 1 bytes.\n                        new_size = channel.recipient_window_size.saturating_add(amount);\n                        channel.recipient_window_size = new_size;\n                    }\n...\n```\n\n### PoC\nA customized client code would be required to send a message with a big value like u32_max. Not done yet.\n\n### Impact\nThis problem seems only critical to a server. One user can crash the server, which might take down the service. A malicious server could also crash a single client, but this seems not very critical.",
  "id": "GHSA-h5rc-j5f5-3gcm",
  "modified": "2025-08-05T17:11:17Z",
  "published": "2025-08-04T20:28:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Eugeny/russh/security/advisories/GHSA-h5rc-j5f5-3gcm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54804"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Eugeny/russh/commit/0eb5e406780890e21ff71dd25d731b30676478e5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Eugeny/russh"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "russh is missing overflow checks during channel windows adjust"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.


Loading…

Loading…