CVE-2025-14282

EUVD-2025-207001
A flaw was found in Dropbear. When running in multi-user mode and authenticating users, the dropbear ssh server does the socket forwardings requested by the remote client as root,
only switching to the logged-in user upon spawning a shell or performing
some operations like reading the user's files.
With the recent ability of also using unix domain sockets as the forwarding destination any user able to log in via ssh can connect to any unix socket with the root's credentials, bypassing both file system restrictions and any SO_PEERCRED / SO_PASSCRED checks performed by the peer.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
fedoraCNA
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 2%
Debian logo
Debian Releases
Debian Product
Codename
dropbear
bookworm
2022.83-1+deb12u3
not-affected
bullseye
2020.81-3+deb11u2
not-affected
bullseye (security)
2020.81-3+deb11u3
fixed
forky
2025.89-1
fixed
sid
2025.89-1
fixed
trixie
2025.89-1~deb13u1
fixed
trixie (security)
2025.89-1~deb13u1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
dropbear
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
plucky
ignored
questing
needs-triage
xenial
needs-triage
Common Weakness Enumeration
References
https://access.redhat.com/security/cve/CVE-2025-14282
https://bugzilla.redhat.com/show_bug.cgi?id=2420052
https://github.com/mkj/dropbear/pull/391
https://github.com/mkj/dropbear/pull/394
https://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2025q4/002390.html
http://www.openwall.com/lists/oss-security/2025/12/16/4
http://www.openwall.com/lists/oss-security/2025/12/17/1