Vulnerability Description
wolfSSH’s key exchange state machine can be manipulated to leak the client’s password in the clear, trick the client to send a bogus signature, or trick the client into skipping user authentication. This affects client applications with wolfSSH version 1.4.21 and earlier. Users of wolfSSH must update or apply the fix patch and it’s recommended to update credentials used. This fix is also recommended for wolfSSH server applications. While there aren’t any specific attacks on server applications, the same defect is present. Thanks to Aina Toky Rasoamanana of Valeo and Olivier Levillain of Telecom SudParis for the report.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wolfssh | Wolfssh | < 1.4.22 |
Related Weaknesses (CWE)
References
- https://github.com/wolfSSL/wolfssh/pull/855Issue Tracking
FAQ
What is CVE-2025-14942?
CVE-2025-14942 is a vulnerability with a CVSS score of 9.8 (CRITICAL). wolfSSH’s key exchange state machine can be manipulated to leak the client’s password in the clear, trick the client to send a bogus signature, or trick the client into skipping user authentication. T...
How severe is CVE-2025-14942?
CVE-2025-14942 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-14942?
Check the references section above for vendor advisories and patch information. Affected products include: Wolfssh Wolfssh.