GHSA-56wx-66px-9j66: OPKSSH Vulnerable to Authentication Bypass

Impact

Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification. As OPKSSH depends on the OpenPubkey library for authentication, this vulnerability in OpenPubkey also applies to OPKSSH versions prior to 0.5.0 and would allow an attacker to bypass OPKSSH authentication.

Patches

The vulnerability does not exist in more recent versions of OPKSSH. his only impacts OPKSSH when used to verify ssh keys on a server, the OPKSSH client is unaffected. To remediate upgrade to a version of OPKSSH v0.5.0 or greater.

To determine if you are vulnerable run on your server:

If the version is less than 0.5.0 you should upgrade. To upgrade to the latest version run:

wget -qO- “https://raw.githubusercontent.com/openpubkey/opkssh/main/scripts/install-linux.sh” | sudo bash

References

CVE-2025-4658

The upstream vulnerability in OpenPubkey is CVE-2025-3757 and has the security advisory GHSA-537f-gxgm-3jjq

References

• GHSA-56wx-66px-9j66
• https://nvd.nist.gov/vuln/detail/CVE-2025-4658
• https://github.com/openpubkey/opkssh