GHSA-gmhj-xjfh-cf6m
HIGHCaddy-SSH vulnerable to Authorization Bypass due to incorrect usage of PAM library
Blast Radius
github.com/mohammed90/caddy-sshReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.
Description
Not invoking a call to pam_acct_mgmt after a call to pam_authenticate to check the validity of a login can lead to an authorization bypass.
Impact
Exploitability
The attack can be carried over the network. A complex non-standard configuration or a specialized condition is required for the attack to be successfully conducted. The attacker also requires access to a users credentials, be it expired, for an attack to be successful. There is no user interaction required for successful execution. The attack can affect components outside the scope of the target module.
Impact
Using this attack vector, an attacker may access otherwise restricted parts of the system. The attack can be used to gain access to confidential files like passwords, login credentials and other secrets. Hence, it has a high impact on confidentiality. It may also be directly used to affect a change on a system resource. Hence has a medium to high impact on integrity. This attack may not be used to affect the availability of the system. Taking this account an appropriate CVSS v3.1 vector would be AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
Root Cause Analysis
In this case, in the following PAM transaction, only a call to pam.Authenticate is used to login a user.
This implies that a user with expired credentials can still login.
The bug can be verified easily by creating a new user account, expiring it with chage -E0 <username> and then trying to log in with the expired credentials.
Patches
This can be fixed by invoking a call to pam.AcctMgmt after a successful call to pam.Authenticate
References
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐹Go | github.com/mohammed90/caddy-ssh | all versions | No fix |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/mohammed90/caddy-ssh. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Remediation status
No patched version of github.com/mohammed90/caddy-ssh has shipped for GHSA-gmhj-xjfh-cf6m yet. Where your build allows, override or pin the dependency away from the vulnerable range, and apply any maintainer-recommended mitigation.
Mitigate without a patch
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-gmhj-xjfh-cf6m is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-gmhj-xjfh-cf6m. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-gmhj-xjfh-cf6m in your dependencies?
O3 detects GHSA-gmhj-xjfh-cf6m across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.