CVE-2026-45309 in AsyncSSHinfo

Summary

by MITRE • 07/17/2026

AsyncSSH is a Python package which provides an asynchronous client and server implementation of the SSHv2 protocol on top of the Python asyncio framework. Prior to 2.23.0, AsyncSSH expands the OpenSSH-compatible AuthorizedKeysFile %u token in asyncssh/config.py, asyncssh/connection.py, asyncssh/auth_keys.py, and asyncssh/misc.py with the raw SSH username during pre-authentication server config reload, allowing a server configured with AuthorizedKeysFile authorized_keys/%u to read an authorized-keys file outside the intended directory when the SSH username contains /, \, or .. path traversal segments and authenticate with an attacker-selected key file. This issue is fixed in version 2.23.0.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/17/2026

This vulnerability resides in the AsyncSSH library's handling of the OpenSSH-compatible %u token within the AuthorizedKeysFile directive, representing a critical path traversal flaw that impacts SSH server implementations built on the Python asyncio framework. The vulnerability manifests during pre-authentication server configuration reload processes where the library expands the %u token with raw SSH username values without proper sanitization or validation, creating an opportunity for malicious actors to manipulate authentication flows through carefully crafted username inputs containing path traversal sequences.

The technical implementation flaw occurs in multiple files within the AsyncSSH codebase including asyncssh/config.py, asyncssh/connection.py, asyncssh/auth_keys.py, and asyncssh/misc.py where the %u token expansion process fails to properly validate or sanitize user-provided username values before incorporating them into file path resolution. When a server configuration specifies AuthorizedKeysFile authorized_keys/%u and an attacker submits a username containing forward slashes, backslashes, or dot-dot sequences, the library's insecure expansion allows arbitrary file system access beyond the intended directory structure. This represents a classic path traversal vulnerability that operates at the pre-authentication phase, meaning it can be exploited before any proper authentication checks occur.

The operational impact of this vulnerability extends beyond simple unauthorized file access to potentially enable full authentication compromise and privilege escalation within affected systems. Attackers can leverage this flaw to authenticate using arbitrary key files located anywhere on the system by crafting usernames that contain path traversal sequences, effectively bypassing directory restrictions imposed by the AuthorizedKeysFile configuration. This creates a significant risk for SSH servers configured with dynamic key file locations where the %u token is used to isolate user-specific keys in subdirectories, as demonstrated by the vulnerable configuration pattern authorized_keys/%u.

The vulnerability aligns with CWE-22 Path Traversal and CWE-770 Allocation of Resources Without Limits or Throttling categories, representing a resource allocation issue where file system access is improperly controlled through insecure path expansion. From an ATT&CK framework perspective, this maps to T1566.001 Valid Accounts and T1078 Valid Accounts as it enables attackers to leverage legitimate SSH user accounts for unauthorized access while potentially bypassing authentication mechanisms entirely. The pre-authentication nature of the exploit also aligns with T1110.003 Brute Force and T1078.004 Valid Accounts, as it allows attackers to manipulate account validation processes through crafted input manipulation.

Mitigation strategies for this vulnerability require immediate upgrade to AsyncSSH version 2.23.0 or later where the path expansion logic has been properly secured. Organizations should also implement additional defensive measures including restricting SSH server configurations to avoid using the %u token in potentially vulnerable setups, implementing strict input validation on user authentication requests, and monitoring for unusual authentication patterns that might indicate exploitation attempts. Network-level protections such as SSH server hardening, rate limiting, and access control lists can provide additional defense-in-depth layers while administrators should conduct thorough audits of all SSH configurations to identify and remediate similar path traversal vulnerabilities in other components of their infrastructure.

Responsible

GitHub M

Reservation

05/11/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!