ghsa-h5rc-j5f5-3gcm
Vulnerability from github
Summary
The channel window adjust message of the SSH protocol is used to track the free space in the receive buffer of the other side of a channel. The current implementation takes the value from the message and adds it to an internal state value. This can result in a integer overflow. If the Rust code is compiled with overflow checks, it will panic. A malicious client can crash a server.
Details
According https://datatracker.ietf.org/doc/html/rfc4254#section-5.2, The value must not overflow. The incorrect handling is done in server/encrypted.rs and client/encrypted.rs in the handling of CHANNEL_WINDOW_ADJUST.
let amount = map_err!(u32::decode(&mut r))?;
...
channel.recipient_window_size += amount;
It could be replaced with something like
if let Some(ref mut channel) = enc.channels.get_mut(&channel_num) {
// rfc 4254: The window MUST NOT be increased above 2^32 - 1 bytes.
new_size = channel.recipient_window_size.saturating_add(amount);
channel.recipient_window_size = new_size;
}
...
PoC
A customized client code would be required to send a message with a big value like u32_max. Not done yet.
Impact
This problem seems only critical to a server. One user can crash the server, which might take down the service. A malicious server could also crash a single client, but this seems not very critical.
{ "affected": [ { "package": { "ecosystem": "crates.io", "name": "russh" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "0.54.1" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2025-54804" ], "database_specific": { "cwe_ids": [ "CWE-190" ], "github_reviewed": true, "github_reviewed_at": "2025-08-04T20:28:36Z", "nvd_published_at": "2025-08-05T01:15:42Z", "severity": "MODERATE" }, "details": "### Summary\nThe channel window adjust message of the SSH protocol is used to track the free space in the receive buffer of the other side of a channel. The current implementation takes the value from the message and adds it to an internal state value. This can result in a integer overflow. If the Rust code is compiled with overflow checks, it will panic. A malicious client can crash a server. \n\n### Details\nAccording https://datatracker.ietf.org/doc/html/rfc4254#section-5.2, The value must not overflow. \nThe incorrect handling is done in server/encrypted.rs and client/encrypted.rs in the handling of CHANNEL_WINDOW_ADJUST. \n\n```\nlet amount = map_err!(u32::decode(\u0026mut r))?;\n...\nchannel.recipient_window_size += amount;\n```\n\nIt could be replaced with something like \n\n```\n if let Some(ref mut channel) = enc.channels.get_mut(\u0026channel_num) {\n // rfc 4254: The window MUST NOT be increased above 2^32 - 1 bytes.\n new_size = channel.recipient_window_size.saturating_add(amount);\n channel.recipient_window_size = new_size;\n }\n...\n```\n\n### PoC\nA customized client code would be required to send a message with a big value like u32_max. Not done yet.\n\n### Impact\nThis problem seems only critical to a server. One user can crash the server, which might take down the service. A malicious server could also crash a single client, but this seems not very critical.", "id": "GHSA-h5rc-j5f5-3gcm", "modified": "2025-08-05T17:11:17Z", "published": "2025-08-04T20:28:36Z", "references": [ { "type": "WEB", "url": "https://github.com/Eugeny/russh/security/advisories/GHSA-h5rc-j5f5-3gcm" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54804" }, { "type": "WEB", "url": "https://github.com/Eugeny/russh/commit/0eb5e406780890e21ff71dd25d731b30676478e5" }, { "type": "PACKAGE", "url": "https://github.com/Eugeny/russh" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "type": "CVSS_V3" } ], "summary": "russh is missing overflow checks during channel windows adjust" }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.