Additionally, it fixes several security issues that were backported to libssh 0.11.4, our stable distribution.

A big thank you to all the contributors who made this release possible!

For those new to libssh, we recommend checking out our getting started tutorial. If you have any questions, feel free to join our mailing list or visit our Matrix channel.

You can download libssh-0.12.0 here and libssh-0.11.4 in here.

ChangeLog for libssh 0.12.0:

Security:

• CVE-2025-14821: libssh loads configuration files from the C:\etc directory
  on Windows
• CVE-2026-0964: SCP Protocol Path Traversal in ssh_scp_pull_request()
• CVE-2026-0965: Possible Denial of Service when parsing unexpected
  configuration files
• CVE-2026-0966: Buffer underflow in ssh_get_hexa() on invalid input
• CVE-2026-0967: Specially crafted patterns could cause DoS
• CVE-2026-0968: OOB Read in sftp_parse_longname()
• libssh-2026-sftp-extensions: Read buffer overrun when handling SFTP
  extensions

Deprecations and removals:

• Bumped minimal RSA key size to 1024 bits

New functionality:

• Add support for hybrid key exchange mechanisms using Quantum Resistant cryptography for all backends. These are now preferred:
  • sntrup761x25519-sha512, [email protected]
  • mlkem768nistp256-sha256
  • mlkem768x25519-sha256
  • mlkem1024nistp384-sha384 (only OpenSSL 3.5+ and libgcrypt)
• New cmake option WITH_HERMETIC_USR
• Added support for Ed25519 keys through PKCS#11
• Support for host-bound public key authentication
  ([email protected])
• Use curve25519 implementation from mbedTLS and libgcrypt
• New functions for signing arbitrary data (commits) with SSH keys
  • sshsig_sign()
  • sshsig_verify()
• Support for FIDO/U2F keys (internal implementation using libfido2)
  • Compatible with OpenSSH: should work out of the box
  • Extensible with callbacks
• Add support for GSSAPI Key Exchange (RFC 4462, RFC 8732)
• Add support for new configuratation options (client and server):
  • RequiredRsaSize
  • AddressFamily (client)
  • GSSAPIKeyExchange
  • GSSAPIKexAlgorithms
• New option to get list of configured identities (SSH_OPTIONS_NEXT_IDENTITY)
• More OpenSSH compatible percent expansion characters
• Add new server auth_kbdint_function() callback
• New PKI Context structure for key operations
• Stability and compatibility improvements of ProxyJump

SFTP

• Prevent failures when SFTP status message does not contain error message
• Fix possible timeouts while waiting for SFTP messages
• Support for [email protected] extension in client
• Support for SSH_FXF_TRUNC in server

ChangeLog for libssh 0.11.4

Security:

• CVE-2025-14821: libssh loads configuration files from the C:\etc directory
  on Windows
• CVE-2026-0964: SCP Protocol Path Traversal in ssh_scp_pull_request()
• CVE-2026-0965: Possible Denial of Service when parsing unexpected
  configuration files
• CVE-2026-0966: Buffer underflow in ssh_get_hexa() on invalid input
• CVE-2026-0967: Specially crafted patterns could cause DoS
• CVE-2026-0968: OOB Read in sftp_parse_longname()
• libssh-2026-sftp-extensions: Read buffer overrun when handling SFTP
  extensions

Other fixes:

• Stability and compatibility improvements of ProxyJump

This year, we got a record amount of project proposals. 33 students submitted their project proposals in Spring. Out of these, we selected the best proposal, discussed the topic in detail before and during the GSoC development period and for the first time we were able to merge the code and (we hope to) release the same year! So let’s dive into what we worked on this year!

Support for FIDO/U2F keys on the client side

This project intends to bring support for new authentication algorithms based on physical security keys as defined and implemented by OpenSSH. By segregating the key material from the host system to separate cryptographic hardware and requiring presence verification, it basically eliminates risk of stealing private keys or misuse of them on unattended machines.

This is the same project we accepted in the first year of our GSoC, but unfortunately the previous student was unable to complete the work. After the first year we had some doubts if it was too large or too complicated, but this year was a success!

We selected Praneeth Sarode for this project. Praneeth was in contact with us since January and by the time he submitted a project proposal, he had an amazing 8 non-trivial merge requests, touching very different code parts from sftp, crypto, callbacks and documentation!

We had some expectations about the design of the whole project, but over the first weeks, we came up with some improvements resulting in a more streamlined API and usage.

If you want to learn more about the project, please read Praneeth’s blog. You can also read through the new chapter in our libssh tutorial describing the new API and whole functionality.

The main Merge Request !617 is now merged and code is available for testing in the master branch. We also hope to make a new release with all the things we worked on over the last couple of years.

Thank you all who allowed this to happen! First of all, Praneeth for all the work, Eshan, Jakub and Sahana for mentoring this year and Google for organizing this program!

• CVE-2025-8114: Fix NULL pointer dereference after allocation failure
• CVE-2025-8277: Fix memory leak of ephemeral key pair during repeated wrong KEX

In addition version 0.11.3 contains several bugfixes and backports. For full list, see the changelog below. Thanks to Philippe Antoine and Francesco Rollo for the responsible disclosure.

If you are new to libssh you should read our tutorial how to get started. Please join our mailing list or visit our IRC or Matrix channels if you have questions.

You can download libssh here.

CHANGELOG

• Security:
  • CVE-2025-8114: Fix NULL pointer dereference after allocation failure
  • CVE-2025-8277: Fix memory leak of ephemeral key pair during repeated wrong KEX
  • Potential UAF when send() fails during key exchange
• Bugfixes:
  • Fix possible timeout during KEX if client sends authentication too early (#311)
  • Cleanup OpenSSL PKCS#11 provider when loaded
  • Zeroize buffers containing private key blobs during export

• CVE-2025-4877 – Write beyond bounds in binary to base64 conversion functions
• CVE-2025-4878 – Use of uninitialized variable in privatekey_from_file()
• CVE-2025-5318 – Likely read beyond bounds in sftp server handle management
• CVE-2025-5351 – Double free in functions exporting keys
• CVE-2025-5372 – ssh_kdf() returns a success code on certain failures
• CVE-2025-5449 – Likely read beyond bounds in sftp server message decoding
• CVE-2025-5987 – Invalid return code for chacha20 poly1305 with OpenSSL backend

In addition version 0.11.2 contains several bugfixes and backports. For full list, see the changelog below. Thanks to Ronald Crane for the responsible disclosure. Also thanks to Fabian Bäumer, Marcel Maehren, Marcus Brinkmann, and Jörg Schwenk from Ruhr University Bochum.

If you are new to libssh you should read our tutorial how to get started. Please join our mailing list or visit our IRC or Matrix channels if you have questions.

You can download libssh here.

CHANGELOG

• Security
  • CVE-2025-4877 – Write beyond bounds in binary to base64 conversion functions
  • CVE-2025-4878 – Use of uninitialized variable in privatekey_from_file()
  • CVE-2025-5318 – Likely read beyond bounds in sftp server handle management
  • CVE-2025-5351 – Double free in functions exporting keys
  • CVE-2025-5372 – ssh_kdf() returns a success code on certain failures
  • CVE-2025-5449 – Likely read beyond bounds in sftp server message decoding
  • CVE-2025-5987 – Invalid return code for chacha20 poly1305 with OpenSSL backend
• Compatibility
  • Fixed compatibility with CPM.cmake
  • Compatibility with OpenSSH 10.0
  • Tests compatibility with new Dropbear releases
  • Removed p11-kit remoting from the pkcs11 testsuite
• Bugfixes
  • Implement missing packet filter for DH GEX
  • Properly process the SSH2_MSG_DEBUG message
  • Allow escaping quotes in quoted arguments to ssh configuration
  • Do not fail with unknown match keywords in ssh configuration
  • Process packets before selecting signature algorithm during authentication
  • Do not fail hard when the SFTP status message is not sent by noncompliant
    servers

Implement GSSAPI Key Exchange and Improve Testing

This project was proposed and implemented by Gauravsingh Sisodia. As part of this project he achieved these goals:

1. Setting up Kerberos in a test environment

Automated tests were added for libssh’s “gssapi-with-mic” authentication method, which lacked prior coverage. Kerberos KDC setup was automated using cwrap wrappers, and tests were written to verify client-server interactions between libssh and OpenSSH. Additionally, memory leaks were fixed, and server callbacks were properly configured.

2. Implementing GSSAPI Key Exchange

GSSAPI Key Exchange (RFC 4462) was implemented for both the libssh client and server. Tests were conducted against OpenSSH and libssh clients, and generic GSSAPI functions were created to reduce code duplication. The “gssapi-keyex” method was added, along with support for the SSH2_MSG_KEXGSS_HOSTKEY message on the libssh server.
Testing for GSSAPI Authentication MR was already merged in the 0.11.0 release. Implementing GSSAPI Key Exchange MR is a work in progress. It will be merged once the “null” hostkey algorithm is fully implemented and documentation is further improved.
Gaurav’s work has been summarized in detail in his blog.

Support for OpenSSH certificates

This project was implemented by Francesco Rollo. The project aimed to enhance libssh’s limited pre-existing support for certificates, enabling better host and user authentication. Francesco’s work included implementing configuration options for both the client and server, parsing certificate fields, and building a robust certificate validation mechanism. These efforts improved libssh’s interoperability with OpenSSH certificates, making it more viable for organizations seeking improved SSH security.
His work for the program are implemented in the following MRs – #493, #500, #527
Future work includes finalizing the merge of the code and continuing contributions to the libssh project. Key areas of focus will be implementing Key Revocation List (KRL) control and developing a certificate generation feature. Francesco plans to stay actively involved in maintaining the libssh codebase and supporting the open-source community.
Francesco’s work has been summarized in detail in his blog.

Participation in GSoC Mentor Summit

For the first time, we also attended the GSoC Mentor Summit (October 4th to 6th in Sunnyvale). Our delegate was Jakub, who is driving the libssh participation in GSoC since the first year and overseeing the project in both Org Admin and Mentor roles. We had the opportunity to engage with fellow mentors and organization admins, exchange insights, and gain valuable perspectives on open-source mentoring as well as how the program is managed in other organizations. The summit provided a great platform for networking and learning, contributing to our ongoing efforts to enhance both mentorship within the organization and student experience.

Summary

This summer, we collaborated with two students on two exciting projects that could benefit our libssh users. Some of PRs need some minor changes and the features haven’t been released yet, we aim to finalize them soon. If you find this work interesting and have any feedback or ideas for future projects, or if you’d like to contribute down the line, please let us know.
We want to take this opportunity to thank our students for their participation, Eshan, Jakub and Sahana for their mentorship, the libssh community for their feedback and ideas, and of course, Google for organizing this program!

For those new to libssh, we recommend checking out our getting started tutorial. If you have any questions, feel free to join our mailing list or visit our Matrix channel.

You can download libssh-0.11.1 here.

Changelog:

• Fixed default TTY modes that are set when stdin is not connected to tty (#270)
• Fixed zlib cleanup procedure, which could crash on i386
• Various test fixes improving their stability
• Fixed cygwin build

For those new to libssh, we recommend checking out our getting started tutorial. If you have any questions, feel free to join our mailing list or visit our Matrix channel.

You can download libssh-0.11.0 here.

Note: This release is using a new release key for signing tarballs. The public key can be downloaded here.

Changelog:

Deprecations and Removals:

• Dropped support for DSA
• Deprecated Blowfish cipher (will be removed in next release)
• Deprecated SSH_BIND_OPTIONS_{RSA,ECDSA}KEY in favor of generic HOSTKEY
• Removed the usage of deprecated OpenSSL APIs (Note: Minimum supported OpenSSL version is 1.1.1)
• Disabled preauth compression (zlib) by default
• Support for pkcs#11 engines are deprecated, pkcs11-provider is used instead
• Deprecation of old partial async SFTP API
• libgcrypt cryptographic backend is deprecated
• Deprecation of knownhosts hashing

SFTP Improvements:

• Added support for async SFTP IO
• Added support for sftp_limits() and applied capping to SFTP read/write operations accordingly
• Added sftp_home_directory() API support for sftp extension “home-directory”
• Added sftp_lsetstat() API for lsetstat extensions
• Added sftp_expand_path() to canonicalize path using [email protected] extension
• Implemented stat and realpath in sftpserver
• Added sftp_readlink() API to support [email protected]
• New extensible callback based SFTP server
• Introduced the [email protected] extension

New functions and features:

• Added support for PKCS #11 provider for OpenSSL 3.0
• Added testing for GSSAPI Authentication
• Implemented proxy jump using libssh
• Recategorized loglevels to show fatal errors and alignment with OpenSSH log levels
• Added ssh_channel_request_pty_size_modes() API to set terminal modes for PTYs
• Added function to check username syntax
• Added support to check all keys in authorized_keys instead of one in example server implementation
• Handled hostkey similar to OpenSSH
• Added ssh_session_socket_close() API in order to not close socket passed through options on error conditions
• Added option SSH_BIND_OPTIONS_IMPORT_KEY_STR to read user-supplied key string in ssh_bind_options_set()
• Improved log handling around ssh_set_callbacks
• Added ssh_set_error_invalid in ssh_options_set()
• Prevented signature blob to start with 1 bit in libgcrypt
• Added support to unbreak key comparison of Ed25519 keys imported from PEM or OpenSSH container
• Added support to calculate missing CRT parameters when building RSA key
• Added ssh_pki_export_privkey_base64_format() and ssh_pki_export_privkey_file_format() to support exporting keys in different formats (PEM, OpenSSH)
• Added support to compare certificates and handle automatic certificate authentication
• Added support to make compile-commands generation conditional
• Built fuzzers for normal testing
• Avoided passing other events to callbacks when called recursively
• Added control master and path options
• Refactored channel_rcv_data, check for errors and report more useful errors
• Added support to connect to other host addresses than just the first one
• Terminated the server properly when the MaxAuthTries is reached
• Added support for [email protected] request in both client and server
• Added callback to support forwarded-tcpip requests
• Bumped minimal CMake version to 3.12
• Added support for MBedTLS 3.6.x
• Added support for +,-,^ modifiers in front of algorithm lists in options
• Added callbacks for channel open response, and channel request response
• Replaced chroot() from chroot_wrapper internal library with chroot() from priv_wrapper package
• Added a placeholder for non-expanded identities
• Improved handling of channel transfer window sizes

With festive season approaching, the libssh team comes with an early present of new releases fixing three security issues.

The two new releases of libssh 0.9 and 0.10 address the following security issues:

• CVE-2023-6004: Command Injection using malicious hostname in expanded proxycommand. More details can be found in the advisory.
• CVE-2023-48795: Avoid potential downgrade attacks by implementing strict kex. More details can be found in the advisory.
• CVE-2023-6918: Avoid potential use of weak keys in low memory conditions by systematically checking return values of MD functions. More details can be found in the advisory.

In addition the 0.10 version contains several bugfixes and backports. For full list, see the changelog below.

If you are new to libssh you should read our tutorial how to get started. Please join our mailing list or visit Matrix channel if you have questions.

You can download libssh here.

Merry Christmas everyone!

ChangeLog for libssh 0.10.6

• Fix CVE-2023-6004: Command injection using proxycommand
• Fix CVE-2023-48795: Potential downgrade attack using strict kex
• Fix CVE-2023-6918: Missing checks for return values of MD functions
• Fix ssh_send_issue_banner() for CMD(PowerShell)
• Avoid passing other events to callbacks when poll is called recursively (#202)
• Allow @ in usernames when parsing from URI composes

ChangeLog for libssh 0.9.8

• Fix CVE-2023-6004: Command injection using proxycommand
• Fix CVE-2023-48795: Potential downgrade attack using strict kex
• Fix CVE-2023-6918: Missing checks for return values of MD functions
• Allow @ in usernames when parsing from URI composes

OpenSSH connection multiplexing

The first project for OpenSSH connection multiplexing was implemented by Ahsen Kamal. This functionality should improve integration of the libssh tools with existing OpenSSH applications.  As a result, we should get better performance of repeated connections for applications built with libssh. The project covered the following milestones:

• Parsing of existing OpenSSH configuration options;
• functionality to connect to existing OpenSSH mux server;
• possibility to set up mux server for other clients to connect to.

Ahsen learned a lot about SSH protocol itself, libssh internals and testing. His current work is summarized in this article and in merge requests [1] and [2]. At the time of final evaluation, the mux server implementation in [2] was still in progress.

We still need to work on finalizing the implementation and make sure it is well tested before we will be able to ship this in a stable release.

Async SFTP Client

The second project for asynchronous SFTP client was implemented by Eshan Kelkar. This was a long-awaited functionality as we had many users asking us for higher-performance SFTP transfers, which are not possible with synchronous messaging. The existing API was also under-documented.

Eshan spent a lot of time investigating existing SFTP API and proposed several improvements at various stages that lead to better code, making sure that there is no need to type casts, the API is ready for the non-blocking operations, we avoid needless copying of data between buffer layers and the API is easy to use. Additionally, Eshan wrote a very nice tutorial describing how to use the new API, which will be part of the tutorial we provide on our website. For more information, see the links to his blog post and merge requests [1] and [2].

The next steps here after releasing the new version of libssh would be to use this new API in applications, such as KIO sftp or curl who are some of our SFTP users.

Summary

During this summer, we worked with two students to complete two interesting projects that could be useful for our libssh users. The journey is not yet complete and the features are not yet released, but we plan to wrap them up soon. If you found this work interesting and have some comments or ideas for next projects or if you would like to help in the future, let us know.

With this post, I would like to thank our students for participating in this program, Sahana and Norbert helping with the mentoring, the libssh community for providing feedback and ideas and last but not least Google for running this program!

Background

During last summer, we worked with students to implement callback based SFTP server . It took a bit time to get merged, we hit couple of roadblocks including poll locks that were making large reads block the connection indefinitely. All of this was resolved and the code was merged couple of months back. Even though all of us read and worked through the code, and we run coverity through the code, we missed one allocation check, which could cause NULL dereference.

Issue

This issue was reported to us by Wei Chong Tan and is described in the attached advisory including the possible impact. The fix was committed to the master branch as fe80f47b0ae8902d229ef9b8a1b4fa949b92e720 and will be in the next major release.

Given that this is affecting only master, no new libssh version was released. And given that this is new functionality, I do not assume many users would be already using it. But for the sake of transparency and to appreciate the reporter we release the security advisory and CVE to keep everyone informed.