GHSA-H5RC-J5F5-3GCM

Vulnerability from github – Published: 2025-08-04 20:28 – Updated: 2025-08-05 17:11
VLAI?
Summary
russh is missing overflow checks during channel windows adjust
Details

Summary

The channel window adjust message of the SSH protocol is used to track the free space in the receive buffer of the other side of a channel. The current implementation takes the value from the message and adds it to an internal state value. This can result in a integer overflow. If the Rust code is compiled with overflow checks, it will panic. A malicious client can crash a server.

Details

According https://datatracker.ietf.org/doc/html/rfc4254#section-5.2, The value must not overflow. The incorrect handling is done in server/encrypted.rs and client/encrypted.rs in the handling of CHANNEL_WINDOW_ADJUST. 

let amount = map_err!(u32::decode(&mut r))?;
...
channel.recipient_window_size += amount;

It could be replaced with something like 

  if let Some(ref mut channel) = enc.channels.get_mut(&channel_num) {
                        // rfc 4254: The window MUST NOT be increased above 2^32 - 1 bytes.
                        new_size = channel.recipient_window_size.saturating_add(amount);
                        channel.recipient_window_size = new_size;
                    }
...

PoC

A customized client code would be required to send a message with a big value like u32_max. Not done yet.

Impact

This problem seems only critical to a server. One user can crash the server, which might take down the service. A malicious server could also crash a single client, but this seems not very critical.

Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "russh"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.54.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54804"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-190"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-04T20:28:36Z",
    "nvd_published_at": "2025-08-05T01:15:42Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe channel window adjust message of the SSH protocol is used to track the free space in the receive buffer of the other side of a channel. The current implementation takes the value from the message and adds it to an internal state value. This can result in a integer overflow. If the Rust code is compiled with overflow checks, it will panic.  A malicious  client can crash a server. \n\n### Details\nAccording https://datatracker.ietf.org/doc/html/rfc4254#section-5.2, The value must not overflow. \nThe incorrect handling is done in server/encrypted.rs and client/encrypted.rs in the handling of CHANNEL_WINDOW_ADJUST. \n\n```\nlet amount = map_err!(u32::decode(\u0026mut r))?;\n...\nchannel.recipient_window_size += amount;\n```\n\nIt could be replaced with something like \n\n```\n  if let Some(ref mut channel) = enc.channels.get_mut(\u0026channel_num) {\n                        // rfc 4254: The window MUST NOT be increased above 2^32 - 1 bytes.\n                        new_size = channel.recipient_window_size.saturating_add(amount);\n                        channel.recipient_window_size = new_size;\n                    }\n...\n```\n\n### PoC\nA customized client code would be required to send a message with a big value like u32_max. Not done yet.\n\n### Impact\nThis problem seems only critical to a server. One user can crash the server, which might take down the service. A malicious server could also crash a single client, but this seems not very critical.",
  "id": "GHSA-h5rc-j5f5-3gcm",
  "modified": "2025-08-05T17:11:17Z",
  "published": "2025-08-04T20:28:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Eugeny/russh/security/advisories/GHSA-h5rc-j5f5-3gcm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54804"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Eugeny/russh/commit/0eb5e406780890e21ff71dd25d731b30676478e5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Eugeny/russh"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "russh is missing overflow checks during channel windows adjust"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.