Nixpkgs security tracker

Untriaged

Permalink CVE-2025-14821

7.8 HIGH

CVSS version: 3.1
Attack vector (AV): LOCAL
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 1 week ago

Libssh: libssh: insecure default configuration leads to local man-in-the-middle attacks on windows

A flaw was found in libssh. This vulnerability allows local man-in-the-middle attacks, security downgrades of SSH (Secure Shell) connections, and manipulation of trusted host information, posing a significant risk to the confidentiality, integrity, and availability of SSH communications via an insecure default configuration on Windows systems where the library automatically loads configuration files from the C:\etc directory, which can be created and modified by unprivileged local users.

References

https://access.redhat.com/security/cve/CVE-2025-14821 vdb-entryx_refsource_REDHAT
RHBZ#2423148 x_refsource_REDHATissue-tracking
https://www.libssh.org/2026/02/10/libssh-0-12-0-and-0-11-4-security-releases/

Affected products

rhcos

libssh

libssh2

Matching in nixpkgs

pkgs.libssh

SSH client library

nixos-unstable 0.11.3
- nixpkgs-unstable 0.11.3
- nixos-unstable-small 0.11.3
nixos-25.11 0.11.4
- nixos-25.11-small 0.11.4
- nixpkgs-25.11-darwin 0.11.4

pkgs.libssh2

Client-side C library implementing the SSH2 protocol

nixos-unstable 1.11.1
- nixpkgs-unstable 1.11.1
- nixos-unstable-small 1.11.1
nixos-25.11 1.11.1
- nixos-25.11-small 1.11.1
- nixpkgs-25.11-darwin 1.11.1

pkgs.haskellPackages.libssh

libssh bindings

nixos-unstable 0.1.0.0
- nixpkgs-unstable 0.1.0.0
- nixos-unstable-small 0.1.0.0
nixos-25.11 0.1.0.0
- nixos-25.11-small 0.1.0.0
- nixpkgs-25.11-darwin 0.1.0.0

pkgs.haskellPackages.libssh2

FFI bindings to libssh2 SSH2 client library (http://libssh2.org/)

nixos-unstable 0.2.0.9-unstable-2025-04-03
- nixpkgs-unstable 0.2.0.9-unstable-2025-04-03
- nixos-unstable-small 0.2.0.9-unstable-2025-04-03
nixos-25.11 0.2.0.9-unstable-2025-04-03
- nixos-25.11-small 0.2.0.9-unstable-2025-04-03
- nixpkgs-25.11-darwin 0.2.0.9-unstable-2025-04-03

pkgs.haskellPackages.libssh2-conduit

Conduit wrappers for libssh2 FFI bindings (see libssh2 package)

nixos-unstable 0.2.1
- nixpkgs-unstable 0.2.1
- nixos-unstable-small 0.2.1
nixos-25.11 0.2.1
- nixos-25.11-small 0.2.1
- nixpkgs-25.11-darwin 0.2.1

pkgs.python312Packages.ansible-pylibssh

Python bindings to client functionality of libssh specific to Ansible use case

nixos-25.11 1.2.2
- nixos-25.11-small 1.2.2
- nixpkgs-25.11-darwin 1.2.2

pkgs.python313Packages.ansible-pylibssh

Python bindings to client functionality of libssh specific to Ansible use case

nixos-unstable 1.4.0
- nixpkgs-unstable 1.4.0
- nixos-unstable-small 1.4.0
nixos-25.11 1.2.2
- nixos-25.11-small 1.2.2
- nixpkgs-25.11-darwin 1.2.2

pkgs.python314Packages.ansible-pylibssh

Python bindings to client functionality of libssh specific to Ansible use case

nixos-unstable 1.4.0
- nixpkgs-unstable 1.4.0
- nixos-unstable-small 1.4.0

pkgs.tests.pkg-config.defaultPkgConfigPackages.libssh2

Test whether libssh2-1.11.1 exposes pkg-config modules libssh2

nixos-unstable libssh2
- nixpkgs-unstable libssh2
- nixos-unstable-small libssh2
nixos-25.11 libssh2
- nixos-25.11-small libssh2
- nixpkgs-25.11-darwin libssh2

Package maintainers

@svanderburg Sander van der Burg <s.vanderburg@tudelft.nl>
@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>
@geluk Johan Geluk <johan+nix@geluk.io>
@mpscholten Marc Scholten <marc@digitallyinduced.com>
@wfdewith Wim de With <wf@dewith.io>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.libssh

pkgs.libssh2

pkgs.haskellPackages.libssh

pkgs.haskellPackages.libssh2

pkgs.haskellPackages.libssh2-conduit

pkgs.python312Packages.ansible-pylibssh

pkgs.python313Packages.ansible-pylibssh

pkgs.python314Packages.ansible-pylibssh

pkgs.tests.pkg-config.defaultPkgConfigPackages.libssh2

Package maintainers