GHSA-72p8-v4hg-v45p
MEDIUMWeak private key generation in SSH.NET
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
SSH.NETReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects NuGet packages — download data is not available via public APIs for these ecosystems.
Description
During an X25519 key exchange, the client’s private is generated with System.Random:
var rnd = new Random();
_privateKey = new byte[MontgomeryCurve25519.PrivateKeySizeInBytes];
rnd.NextBytes(_privateKey);
Source: KeyExchangeECCurve25519.cs
Source commit: https://github.com/sshnet/SSH.NET/commit/b58a11c0da55da1f5bad46faad2e9b71b7cb35b3
System.Random is not a cryptographically secure random number generator, it must therefore not be used for cryptographic purposes.
Impact
When establishing an SSH connection to a remote host, during the X25519 key exchange, the private key is generated with a weak random number generator whose seed can be bruteforced. This allows an attacker able to eavesdrop the communications to decrypt them.
Workarounds
To ensure you're not affected by this vulnerability, you can disable support for curve25519-sha256 and [email protected] key exchange algorithms by invoking the following method before a connection is established:
private static void RemoveUnsecureKEX(BaseClient client)
{
client.ConnectionInfo.KeyExchangeAlgorithms.Remove("curve25519-sha256");
client.ConnectionInfo.KeyExchangeAlgorithms.Remove("[email protected]");
}
Thanks
This issue was initially reported by Siemens AG, Digital Industries, shortly followed by @yaumn-synacktiv.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| .NETNuGet | SSH.NET | all versions | 2020.0.2 |
Research use only. For defensive security, authorized penetration testing, and academic research only. Never execute exploit code against systems without explicit written authorization.
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for SSH.NET. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update SSH.NET to 2020.0.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-72p8-v4hg-v45p is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-72p8-v4hg-v45p is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-72p8-v4hg-v45p. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-72p8-v4hg-v45p in your dependencies?
O3 detects GHSA-72p8-v4hg-v45p across NuGet dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.