CVE-2026-54591
Ronf · AsyncSSH
AsyncSSH contains a path traversal vulnerability that allows unauthorized file system access due to improper path validation in the SSHv2 protocol implementation.
Executive summary
A path traversal vulnerability in AsyncSSH version 2.23.1 and earlier poses a significant security risk by potentially allowing unauthorized file operations.
Vulnerability
This vulnerability is a Path Traversal flaw (CWE-22) residing within the AsyncSSH library. An unauthenticated remote attacker could leverage this weakness to manipulate file paths, potentially resulting in unauthorized file access or integrity impact.
Business impact
Successful exploitation could allow an attacker to bypass file system restrictions, leading to the unauthorized reading or modification of sensitive system files. Given the CVSS score of 8.1, this vulnerability represents a high risk to data confidentiality and integrity, potentially facilitating further system compromise or data exfiltration.
Remediation
Immediate Action: Upgrade to AsyncSSH version 2.23.1 or later immediately to incorporate the necessary security patches.
Proactive Monitoring: Review SSH logs and system access logs for anomalous file path requests or unexpected directory traversal patterns.
Compensating Controls: Ensure that the host environment runs with the principle of least privilege, restricting the file system permissions of the user account executing the AsyncSSH process.
Exploitation status
Public Exploit Available: false
Analyst recommendation
This vulnerability presents a high risk to any application utilizing the AsyncSSH library for SSHv2 connectivity. Administrators should prioritize updating to version 2.23.1 immediately to mitigate the risk of path traversal attacks.