CVE-2026-45309
ronf · asyncssh
The AsyncSSH Python package is susceptible to a path traversal vulnerability that could allow unauthorized access to files outside of the intended directory.
Executive summary
A high-severity path traversal vulnerability in AsyncSSH could allow unauthenticated attackers to access restricted files on the host system.
Vulnerability
The vulnerability is classified as Improper Limitation of a Pathname to a Restricted Directory (CWE-22). It allows an attacker to bypass directory restrictions during SSH operations, potentially leading to unauthorized file system access.
Business impact
Successful exploitation of this path traversal vulnerability could result in the unauthorized disclosure of sensitive configuration files, source code, or system data. With a CVSS score of 8.2, this vulnerability represents a significant risk to the security of the host environment. Unauthorized access to the file system can provide attackers with the necessary information to escalate privileges or move laterally within the network.
Remediation
Immediate Action: Update the asyncssh package to version 2.23.0 or later to resolve the directory traversal flaw.
Proactive Monitoring: Monitor file access logs for attempts to traverse outside of the expected directories, specifically looking for dot-dot-slash patterns.
Compensating Controls: Run the application with the principle of least privilege, ensuring the process owner has minimal access to the underlying file system.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Given the potential for unauthorized file access, it is critical to apply the update to version 2.23.0 immediately. Organizations should verify their dependency trees to ensure that all instances of AsyncSSH are patched to the secure version.