CVE-2025-54804

Public Exploit
Russh is missing an overflow check during channel windows adjust

Description

Russh is a Rust SSH client & server library. In versions 0.54.0 and below, the channel window adjust message of the SSH protocol is used to track the free space in the receive buffer of the other side of a channel. The current implementation takes the value from the message and adds it to an internal state value. This can result in a integer overflow. If the Rust code is compiled with overflow checks, it will panic. A malicious client can crash a server. This is fixed in version 0.54.1.

Category

6.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.04%
Vendor Advisory github.com
Affected: Eugeny russh
Published at:
Updated at:

References

Link Tags
https://github.com/Eugeny/russh/security/advisories/GHSA-h5rc-j5f5-3gcm exploit vendor advisory
https://github.com/Eugeny/russh/commit/0eb5e406780890e21ff71dd25d731b30676478e5 patch

Frequently Asked Questions

What is the severity of CVE-2025-54804?
CVE-2025-54804 has been scored as a medium severity vulnerability.
How to fix CVE-2025-54804?
To fix CVE-2025-54804, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-54804 being actively exploited in the wild?
It is possible that CVE-2025-54804 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-54804?
CVE-2025-54804 affects Eugeny russh.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.