Impact
AsyncSSH version 2.23.0 contains an incomplete fix that allows a user name substitution bypass in the AuthorizedKeysFile setting. The bug permits the use of a leading tilde (~) or an environment variable (${ENV}) to be expanded during SSH key file resolution, enabling an attacker to access files outside the intended authorized‑keys directory. The result is a Path Traversal (CWE-22) that also permits bypass of expected authentication controls (CWE-639).
Affected Systems
The vulnerability affects the AsyncSSH transport library provided by ronf (asyncssh). All installations of version 2.23.0 are impacted, while the issue is resolved in version 2.23.1 and later releases.
Risk and Exploitability
The CVSS score of 5.9 indicates a medium impact. No EPSS score is published, and the vulnerability is not listed in the CISA KEV catalog, suggesting that active exploitation is not currently documented. An attacker capable of specifying a username, or who can influence the environment variables used by the SSH server, can craft a key file path that escapes the authorized‑keys directory. This could lead to unauthorized file access or execution of arbitrary commands with the privileges of the SSH session. The attack likely originates from an external SSH client that supplies a crafted username or environment, or from a local process that sets environment variables before launching the SSH server. Overall, the vulnerability represents a moderate risk awaiting exploitation confirmation, but it should be mitigated promptly to prevent potential future attacks.
OpenCVE Enrichment