Verify() for FIDO and U2F keys failed to enforce the user presence flag, allowing signatures to be generated without a physical touch. This defect permits an attacker to use a hardware security key without user interaction, effectively bypassing the authentication mechanism that relies on a trusted device. The vulnerability can lead to unauthorized SSH access to systems that rely on these keys for authentication, compromising confidentiality and integrity of the protected resources.

The affected product is golang.org/x/crypto/ssh, specifically its handling of sk-ecdsa-sha2-nistp256 and sk-ssh-ed25519 keys. Any Go application or service that uses this library to authenticate SSH connections with FIDO/U2F devices may be impacted. No specific version range is provided, so any version prior to an update that restores the user presence check is potentially vulnerable.

Because the error resides in the cryptographic verification routine, an attacker can exploit it without needing privileged local access, simply by using the key in a context where the library verifies authentication. The EPSS score is not available, and the vulnerability is not listed in CISA KEV, indicating a lack of known exploitation data. Nonetheless, the severity is high due to the potential to subvert strong authentication. Official guidance recommends restoring the previous behavior by supplying a no-touch-required extension in Permissions.Extensions from the PublicKeyCallback. Until that fix is applied, users should avoid relying on these keys for critical authentication or restrict their use to environments where user presence can be enforced by other means.