Description
AsyncSSH is a Python package which provides an asynchronous client and server implementation of the SSHv2 protocol on top of the Python asyncio framework. Prior to 2.23.1, a malicious SSH server can write arbitrary files on the asyncssh SCP client's filesystem by sending filenames containing ../ traversal sequences because _parse_cd_args in scp.py returns server-provided names verbatim and _recv_files joins them to the destination path without enforcing the target directory boundary. This issue is fixed in version 2.23.1.
Published: 2026-07-08
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

AsyncSSH, a Python SSH library, has a flaw where the SCP client does not enforce directory boundaries. A malicious SSH server can send filenames with traversal sequences (../) that the client accepts verbatim and joins to a destination path. This allows the client to write arbitrary files anywhere on its filesystem, potentially overwriting critical files or inserting malicious payloads. The weakness is identified as a path traversal vulnerability (CWE-22) and could compromise confidentiality, integrity, or availability.

Affected Systems

The product affected is AsyncSSH by ronf. All releases prior to 2.23.1 are vulnerable. The issue is fixed in version 2.23.1 and later. Any application or service that uses an older AsyncSSH release is impacted.

Risk and Exploitability

The CVSS score is 8.1, indicating high severity. The EPSS score is not available and the flaw is not listed in the CISA KEV catalog. The attack vector is remote: an attacker controlling an SSH server can send a malicious SCP request to a vulnerable client, enabling arbitrary file writes without needing local access. Once exploited, the attacker can compromise or disrupt the client system.

Generated by OpenCVE AI on July 9, 2026 at 04:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AsyncSSH to version 2.23.1 or newer, which removes the path traversal flaw.
  • If upgrade is not immediately possible, disable the SCP feature in the client or add checks to reject filenames containing traversal sequences before writing.
  • In any custom SCP handling code, perform explicit server–provided path validation and normalization before joining with the destination directory to ensure files are written only inside the intended directory.

Generated by OpenCVE AI on July 9, 2026 at 04:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Jul 2026 20:45:00 +0000

Type Values Removed Values Added
Description AsyncSSH is a Python package which provides an asynchronous client and server implementation of the SSHv2 protocol on top of the Python asyncio framework. Prior to 2.23.1, a malicious SSH server can write arbitrary files on the asyncssh SCP client's filesystem by sending filenames containing ../ traversal sequences because _parse_cd_args in scp.py returns server-provided names verbatim and _recv_files joins them to the destination path without enforcing the target directory boundary. This issue is fixed in version 2.23.1.
Title AsyncSSH: SCP Path Traversal to Arbitrary File Write
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-08T20:33:57.420Z

Reserved: 2026-06-15T19:45:23.539Z

Link: CVE-2026-54591

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-09T04:15:12Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')