CVE-2025-4658: Authentication Bypass in OPKSSH

9.3 CVSS

Description

Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification. As OPKSSH depends on the OpenPubkey library for authentication, this vulnerability in OpenPubkey also applies to OPKSSH versions prior to 0.5.0 and would allow an attacker to bypass OPKSSH authentication.

Classification

CVE ID: CVE-2025-4658

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.3

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Problem Types

CWE-305: Authentication Bypass by Primary Weakness

Affected Products

Vendor: OPKSSH

Product: OPKSSH

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 6.02% (scored less or equal to compared to others)

EPSS Date: 2025-06-06 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-4658
https://github.com/openpubkey/opkssh

Timeline

2025-05-13 17:40:14 UTC
CVE

Authentication Bypass in OPKSSH
2025-05-13 22:15:18 UTC
Github Advisory Database (Go)

[github.com/openpubkey/opkssh] OPKSSH Vulnerable to Authentication Bypass