CVE-2024-41258
Description
Filestash v0.4 disables SSH host key verification via ssh.InsecureIgnoreHostKey(), enabling MITM attacks to obtain sensitive information.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Filestash v0.4 disables SSH host key verification via ssh.InsecureIgnoreHostKey(), enabling MITM attacks to obtain sensitive information.
Vulnerability
Filestash v0.4 (and earlier) uses ssh.InsecureIgnoreHostKey() in the SSH authentication component located at server/plugin/plg_backend_git/index.go. This call disables host key verification, meaning the client does not validate the identity of the SSH server it connects to. The vulnerability affects all versions up to and including v0.4, and is classified under CWE-305 (Authentication Bypass by Spoofing) and CWE-306 (Missing Authentication for Critical Function) [1].
Exploitation
An attacker needs to be in a position to intercept network traffic between the filestash instance and the targeted SSH server (i.e., a man-in-the-middle attack). No authentication or user interaction is required beyond the victim using filestash to initiate an SSH connection. The attacker can present any arbitrary host key, and filestash will accept it without verification, allowing the attacker to decrypt, modify, or inject traffic [1].
Impact
Successful exploitation allows the attacker to obtain sensitive information transmitted over the SSH connection, such as login credentials, file contents, or other data. This constitutes an information disclosure vulnerability with potential for further compromise of the SSH server or client systems [1].
Mitigation
As of the publication date (2024-07-31), no fixed version of filestash has been announced. The vendor has not released a patch or workaround. Users are advised to avoid using filestash with SSH connections until a fix is available, or to implement network-level controls (e.g., VPN) to reduce MITM risk [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The use of ssh.InsecureIgnoreHostKey() disables host key verification in the SSH client."
Attack vector
An attacker can perform a man-in-the-middle attack during SSH authentication using username and password. By intercepting the connection, the attacker can potentially obtain sensitive information. This is facilitated by the disabling of host key verification, which would normally prevent such impersonation.
Affected code
The vulnerability resides in the SSH authentication component, specifically within the file `mickael-kerjean/filestash/server/plugin/plg_backend_git/index.go`. The problematic code uses the `ssh.InsecureIgnoreHostKey()` function.
What the fix does
The advisory does not specify a patch or remediation steps. However, the vulnerability is caused by the use of `ssh.InsecureIgnoreHostKey()`. To fix this, host key verification should be properly implemented instead of being disabled.
Preconditions
- authSSH authentication using username and password must be configured.
- networkThe attacker must be able to intercept network traffic between the filestash server and the SSH server (man-in-the-middle position).
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.