AsyncSSH `AuthorizedKeysFile %u` path traversal allows attacker-selected authorized keys to authenticate a traversal username
Description
Summary
AsyncSSH 2.22.0 expands the OpenSSH-compatible AuthorizedKeysFile %u token with the raw SSH username during pre-authentication server config reload. A server configured with a documented per-user key pattern such as AuthorizedKeysFile authorized_keys/%u can be made to read an authorized-keys file outside the intended directory when the SSH username contains path traversal segments. If the attacker can place or reference a readable authorized-keys-format file containing their public key, the attacker can authenticate over SSH as the traversal username.
Affected
Product - Package: asyncssh - Ecosystem: pip - Affected versions: confirmed on 2.22.0; exact lower bound not finalized - Tested version: 2.22.0 - Audit commit/tag: tag v2.22.0, commit af5a81e669633d83d535163f93b6bf3f957c9238 - PyPI sdist SHA256: c3ce72b01be4f97b40e62844dd384227e5ff5a401a3793007c42f86a5c8eb537
Vulnerability
Details - CWE: CWE-22: Improper Limitation of a Pathname to a Restricted Directory - Component: AsyncSSH server config reload and public-key authentication (asyncssh/config.py, asyncssh/connection.py, asyncssh/auth_keys.py, asyncssh/misc.py) - Root cause: %u in AuthorizedKeysFile is expanded from the remote username without rejecting path separators or .. segments, and the resulting path is opened without constraining it to the intended authorized-keys directory. - Security boundary violated: the configured authorized-keys directory and public-key authentication trust boundary. - Direct impact: public-key authentication succeeds using an attacker-selected authorized-keys file outside the intended directory. - Chain impact, if any: none claimed; direct authentication impact is primary.
Attack
Preconditions - The AsyncSSH server uses a config or equivalent pattern where AuthorizedKeysFile contains %u, for example AuthorizedKeysFile authorized_keys/%u. - Public-key authentication is enabled. - The attacker can place or reference a readable authorized-keys-format file outside the intended directory, such as a file in a world-writable or application-writable location. - The application does not separately reject usernames containing /, \, or .. before AsyncSSH uses the username for key-file selection.
Reproduction
The run-scoped evidence contains a safe localhost proof:
1. Start the proof harness saved at harness_app.py
2. Run exploit_proof.py through run_proof.sh
- The harness creates
sshd_configwithAuthorizedKeysFile authorized_keys/%u, writes the attacker's public key to a file outsideauthorized_keys/, starts a real AsyncSSH server, and attempts two SSH logins. - Expected result: the normal username
victimfails, while the traversal username authenticates with the same attacker key.
Observed proof output:
[CONTROL] username=victim success=False
[ATTACK] username=../../../asyncssh-proof-exploit-proof-8b2bd23daeeb.pub success=True
[ATTACK] output=AUTH_BYPASS_SUCCESS username=../../../asyncssh-proof-exploit-proof-8b2bd23daeeb.pub
PASS: traversal username authenticated with attacker-controlled authorized_keys file
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
asyncsshPyPI | >= 2.22.0, < 2.23.0 | 2.23.0 |
Affected products
4- osv-coords3 versionspkg:apk/chainguard/airflow-3pkg:apk/wolfi/airflow-3pkg:rpm/opensuse/python-asyncssh&distro=openSUSE%20Tumbleweed
< 3.2.1-r4+ 2 more
- (no CPE)range: < 3.2.1-r4
- (no CPE)range: < 3.2.1-r4
- (no CPE)range: < 2.23.1-1.1
Patches
Vulnerability mechanics
References
2News mentions
0No linked articles in our index yet.