Verify() for FIDO and U2F keys failed to enforce the user presence flag, allowing signatures to be generated without a physical touch. This is a CWE‑862: Unchecked Control Flow - Missing User Presence Verification weakness, meaning the software does not confirm that the user physically interacted with the security key before accepting the signature.

The affected product is golang.org/x/crypto/ssh, specifically its handling of sk-ecdsa-sha2-nistp256 and sk-ssh-ed25519 keys. Any Go application or service that uses this library to authenticate SSH connections with FIDO/U2F devices may be impacted. No specific version range is provided, so any version prior to an update that restores the user presence check is potentially vulnerable.

Because the defect resides in the cryptographic verification routine, an attacker can exploit it without needing privileged local access, simply by using the key in a context where the library verifies authentication. The EPSS score is < 1%, indicating a low probability of exploitation in observed traffic, yet the CVSS Score of 9.1 reflects a high consequence. The vulnerability is not listed in CISA KEV, so there is no active exploitation. The likely attack vector is remote SSH authentication, where an attacker supplies a signature from a hardware security key without the FIDO/U2F user‑presence flag being set. The severity remains high due to the potential to subvert strong authentication.