CVE-2025-54804
BaseFortify
Publication date: 2025-08-05
Last updated on: 2025-08-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| russh_project | russh | to 0.54.1 (exc) |
| warpgate_project | warpgate | to 0.16.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-54804 is an integer overflow vulnerability in the Rust SSH library 'russh' versions 0.54.0 and below. It occurs because the code handling the SSH CHANNEL_WINDOW_ADJUST message adds a value to an internal window size counter without checking for overflow. This can cause the integer to overflow, and if Rust's overflow checks are enabled, it causes a panic that crashes the server. Essentially, a malicious client can send crafted messages to trigger this overflow and crash the server. [1, 2]
How can this vulnerability impact me? :
This vulnerability can be exploited by a remote attacker with low privileges and no user interaction to cause a denial of service by crashing the SSH server using the russh library. This results in high availability impact as the server becomes unavailable. While a malicious server could also crash a client, the primary concern is the server crash. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring SSH traffic for unusually large or suspicious CHANNEL_WINDOW_ADJUST messages that could trigger an integer overflow. Since the issue involves the addition of the window size value without overflow checks, inspecting SSH server logs for crashes or panics related to overflow during channel window adjustments can also help detect exploitation attempts. Specific commands are not provided in the resources, but network packet inspection tools like Wireshark or tcpdump can be used to capture and analyze SSH protocol messages, focusing on CHANNEL_WINDOW_ADJUST messages. Additionally, monitoring the russh server logs for panic or crash messages related to overflow can indicate exploitation attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the russh library to version 0.54.1 or later, where the vulnerability is fixed by using saturating addition to prevent integer overflow in the channel window adjustment logic. If upgrading is not immediately possible, consider applying the patch that replaces the vulnerable addition with Rust's saturating_add method in the relevant source files (`russh/src/client/encrypted.rs` and `russh/src/server/encrypted.rs`). Additionally, monitoring and restricting untrusted clients from sending large CHANNEL_WINDOW_ADJUST messages can reduce the risk of exploitation. [1, 2]