CVE-2025-4658

Publication date 13 May 2025

Last updated 14 May 2025

Ubuntu priority

Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification. As OPKSSH depends on the OpenPubkey library for authentication, this vulnerability in OpenPubkey also applies to OPKSSH versions prior to 0.5.0 and would allow an attacker to bypass OPKSSH authentication.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
opkssh	25.04 plucky	Not in release
	24.10 oracular	Not in release
	24.04 LTS noble	Not in release
	22.04 LTS jammy	Not in release
	20.04 LTS focal	Not in release

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2025-4658
https://github.com/openpubkey/opkssh/security/advisories/GHSA-56wx-66px-9j66
https://github.com/openpubkey/opkssh